Consumer-friendly and encrypted, WhatsApp is one of the most popular apps in use today with a whoppingÂ 1.5 billion users. But over recent months, an increasing number of questions are being raised about the encrypted appâ€™s security.Â
Sure, WhatsApp is end-to-end encrypted, but the most recently discovered flaw doesnâ€™t affect that aspect of the service. Last week, I detailed howÂ WhatsApp group chats are easily found via a Google search, because the search engine was indexing links to conversations intended to be private.Â
Privacy advocates were soon up in arms as tech siteÂ ViceÂ found phone numbers belonging to 48 participants in a group chat between non-governmental organizations accredited by the United Nations.Â
But suddenly, the links to chats were no longer available on Google. A source told me this is due to aÂ quiet changeÂ made by WhatsApp owner Facebook, which prevented the conversations being indexed by Google.
This problem isnâ€™t going away. The multimedia journalist for the German outletÂ Deutsche Welle, Jordan Wildon, who first found this issue, has this week revealed that over 60,000 groups are still accessible online.Â
The article details how a security researcher, Lav Kumar discovered the information was still being stored on publicly available internet archives. Wildon tested a randomly selected 1,000 of the unique links and found nearly half were active chats.
â€œEven without actively joining a group, its title, description, image and creator’s phone number are available for all,â€ the article reads. Worse, when entering a group, â€œit is possible to also see the phone numbers of up to 256 participants, as well as other information, and adding these numbers to one’s contacts can reveal their names in the app.â€
WhatsApp told DW in a statement: “We show all numbers in groups for people’s safety, that way they know who will receive their messages.”
However, the WhatsApp â€œfeatureâ€ is not always that safe. Wildon found groups including people who might be in danger if their identity was revealed. For example, one chat containing hundreds of members was labelled as an LGBTQ+ group based in a Latin American country with a high rate of homophobic murders.
Facebook owner WhatsApp sent me a comment, which reads: â€œGroup admins in WhatsApp groups are able to invite any WhatsApp user to join that group by sharing a link that they have generated.
â€œLike all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.â€
A new reason to leave WhatsApp?
WhatsApp is owned by Facebook, which is integrating the messaging service at the back end with Facebook Messenger and Instagram. The move is intended to support the end-to end-encryption needed for secure communications, but many see it as a cause for concern.
Big organizations have already started to move away from WhatsApp. If you use the group function for work chats, youâ€™d be very sensible to look elsewhere. The EU is already doing this, banning WhatsApp and instructing staffers to use Signal, and a mysterious other app for secure communications.
You can try and secure your group chats using this advice from Wildon, who recommends going into group settings, tapping â€œInvite to Group via Linkâ€ then â€œReset link.â€ This doesnâ€™t turn the link off: it generates a new one.
On top of that, even if you haven’t shared the link, it’s possible, but difficult, to run a kind of brute-force method to get access to a URL that corresponds to an active group chat.
It seems Facebook acknowledged this after @hackrzvijay alerted them, suggesting that admins can invalidate the link.
In the app, I could only generate a new link (which invalidates the old one), but couldnâ€™t disable it altogether.https://twitter.com/hackrzvijay/status/1230853118490857478 â€¦HackrzVijay @hackrzvijayReplying to @wongmjane and 2 othersI reported to facebook in early november362:07 PM – Feb 21, 2020Twitter Ads info and privacySee Jordan Wildon’s other Tweets
But the most secure thing you can do, if you care about your security at least in group chats, is to look atÂ alternatives to WhatsApp, such as Signal and Wickr. Signal isÂ addingÂ a number of cool new features that will make the switch much easier.Â
If itâ€™s a business chat perhaps try out Wickr, while to speak to your friends, Signal is probably best.