WhatsApp security flaw: 1000s of links to groups incl. 'Closed Groups' easily found

Razer g2s at riseup.net
Fri Mar 6 19:15:08 PST 2020

"A DW journalist recently discovered WhatsApp links that lead to closed
groups could be found with a simple Google search."

"WhatsApp links that lead to closed groups can be found with a simple
Google search — a major security flaw revealed by DW last week (link).
Following social media outrage, the links were removed from Google’s
search results.

Despite the removal, however, publicly-available internet archives are
still storing the information, as security researcher Lav Kumar has
found out. He gathered and organized over 60,000 unique links, which can
still be found on multiple websites.

Of the 1,000 randomly selected links DW tested, 427 were active chat
links. Even without actively joining a group, its title, description,
image and creator's phone number are available for all. However, upon
entering a group, it is possible to also see the phone numbers of up to
256 participants, as well as other information, and adding these numbers
to one's contacts can reveal their names in the app.

"We show all numbers in groups for people's safety that way they know
who will receive their messages," WhatsApp told DW in response.

Real-life danger

Using this information, DW gained access to a group described as
"Ministry of finance civil servants" in Indonesia, revealing the phone
numbers of all 14 members. Several other groups appeared to be official
support groups for the campaign of Brazilian President Jair Bolsonaro.

Among the 427 active links DW examined, there were groups described to
be for school classes, medical trainees, political campaigns,
businesses, pornography and sex workers. Some groups included members
with particularly sensitive identities, such as one chat with hundreds
of members clearly labeled as an LGBTQ+ group in a Latin American
country with high rates of homophobic murders.

In some cases, the group image looked like amateur pornography or had
titles such as "ex-wives leaked videos," raising questions of consent.

Also listed were potential terrorist groups and groups advertised as for
sharing footage of "extreme" sexual content, including rape. A small
number indicated that they were for child pornography.

WhatsApp told DW that the company has a zero-tolerance policy around
child sexual abuse and bans users immediately if they are found sharing
content that exploits or endangers children.

The platform also claims to ban approximately 250,000 accounts each
month suspected of sharing exploitative images of children and relies on
user reports and all unencrypted information to do so.

'Useful for terrorism chats'

In response to the revelations, some Twitter users pointed out that this
information could be used by authorities to track down illegal content
without WhatsApp offering an official "backdoor" to encrypted content.

"Of course there is a possibility that they left it open to search for
problem groups," Jake Moore, a cybersecurity specialist and former Head
of Digital Forensics at a British police force, told DW, "they aren’t
always too keen to help law enforcement, so might have found it
beneficial to offer it out to law enforcement and not openly mention it."

On whether law enforcement would use this proactively to identify crime,
Moore said: "Most police forces aren’t that proactive, [but] rather
reactive. However, I would imagine it would be useful for terrorism
chats, yet I doubt they use WhatsApp."

However, investigations into far-right terrorism in Germany show that
organizations have used Whatsapp to introduce members to each other.

Read more: German far-right extremists met on WhatsApp, planned mosque

More links:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20200306/137b0ec5/attachment-0001.sig>

More information about the cypherpunks mailing list