CyberSecurity Brief Alert ⚠️ #Data Breach: A WhatsApp Misconfiguration Allowed Google To Index Hundreds Of Thousands Of 'Private' Groups, Letting Anyone Discover & Join Them
-- prepared by @athertonlab cybersecurity incident elite response team
Here’s Everything You Need To Know Today — In 10 Minutes Or Less — About The World’s Most Important News, Events & Trends in CyberSecurity.
This CyberSecurity Brief Alert is sponsored by Mostly AI, The World's Most Advanced Synthetic Data Engine
A WhatsApp Misconfiguration Allowed Google To Index Hundreds Of Thousands Of 'Private' Groups, Letting Anyone Discover & Join Them #Data Breach
Hundreds of thousands of “private” WhatsApp groups are discoverable on Google’s index due to a website misconfiguration by WhatsApp’s IT team: A search on ‘site:chat.whatsapp.com trump’ will return the private groups discussing the U.S. President, for example.
Google’s response:
Search engines like Google & others list pages from the open web. That’s what’s happening here. It’s no different than any case where a site allows URLs to be publicly listed. We do offer tools allowing sites to block content being listed in our results
Facebook/WhatsApp response:
Group admins in WhatsApp groups are able to invite any WhatsApp user to join that group by sharing a link that they have generated. Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website
However, security engineer HackrzVijay revealed that s/he reported the bug to Facebook/WhatsApp last November which claimed this was an “intentional product decision:”
Unfortunately, this bug is not eligible for bounty. The links being accessible by anyone was an intentional product decision. Group admins can invalidate the link if so desired. The surprise here was that they’re indexed by Google. However, we cannot completely control what all search engines, Google, and others, index. Because of this we do not reward a bounty when the issue is search engines indexing some [sic!] url, said ‘Kurt’ from Facebook Security
In conclusion: The most surprising in this case is that Facebook Security admitted—when reported in November—that it was surprised that Google was indexing the links of private WhatsApp groups when in fact this was a case of a simple website misconfiguration where the robots.txt file or the `noindex` meta tag would have sufficed to avoid this data breach.
This CyberSecurity Brief Alert is sponsored by Mostly AI, The World's Most Advanced Synthetic Data Engine