Over 60,000 private WhatsApp groups accessible online
WhatsApp is back in the news for all the wrong reasons: displaying their willingness to prioritize commercial gain at the expense of their users’ privacy and security. It was revealed last week that private group chats on the platform can easily be found via a Google search. Multimedia journalist Jordan Wildon, of Deutsche Welle, broke the news, tweeting "Your WhatsApp groups may not be as secure as you think they are." Which is an understatement to say the least!
The problem arises from the feature "invite to the group via link" which it turns out allows groups to be indexed on Google and other search engines, making them. Joining one of these groups will of course reveal the contents of the chat, but even without joining, the phone numbers and names of the participants are revealed. You can test the visibility of your own groups by searching ‘chat.whatsapp.com’ and adding in details relating to the group chat.
This discovery, while bad enough already, has been exacerbated by WhatsApp’s response. Although they quietly fixed that indexing issue for Google searches last week, the exact same flaw can still be exploited via other search engines, leaving more that 60,000 chats exposed. And to add insult to injury, it appears WhatsApp’s owners Facebook were alerted to this flaw in 2019, but chose to take no action.
Consider the group chat exposed by Vice, which revealed the phone numbers of 48 of its members, in what appeared to be non-governmental organizations accredited by the United Nations. Their personal data is being treated as public information by Facebook Security. But still organizations are proving incredibly slow to realize and react to the present threat. It was only last month that The EU Commission banned its staff from using WhatsApp, as part of its drive to improve the security of their communications. Sadly, as evidenced in recent headlines, sections of the US Government continue to rely on WhatsApp for communications among diplomats, legislators, public servants and military.
This all serves as further proof, as if it were needed, of the inadequacy of consumer messaging products for the enterprise. Even assuming that WhatsApp eventually does fix this particular flaw, there are still of course the intrinsic risks associated with the platform. Any organization still allowing staff to use the platform should ask themselves the following very simple question - do they trust Facebook with their sensitive information? Because not only does Facebook own WhatsApp, but they are in the process of integrating Instagram, Facebook Messenger and WhatsApp at the back end. The result is that when the user is the product, communication over a consumer messaging app should be considered to be happening in a public space – that’s the level of security they provide.
Cellcrypt offers enterprise the gold-standard in secure encrypted messaging. Crucially, we’re not a consumer app reverse engineered to provide more security. Instead, our technology came from protecting secure communications for government, intelligence services and the military – and it is that offering that we make available to the enterprise.
So, by all means carry on using those consumer apps with friends and family if you must, but for business conversations isn’t it time you had a solution you can actually trust?