Recent alarm over publicly indexed WhatsApp messages sends an important message to CISOs: it’s time to audit your employees’ use of online tools.
The story broke in mid-February, when it emerged that Google had been indexing invitation links to WhatsApp group chats. Anyone who found the links could join these groups with a single click, potentially giving them access to sensitive information. Google had indexed 470,000 invitation links to private WhatsApp groups that people had shared line.
The indexed links showed titles, descriptions, images and the creator’s phone number. Chats covered everything from discussions among government workers through to LGBTQ+ groups. Joining them would reveal the phone numbers of all the group’s participants, potentially creating safety problems for members.
Facebook apparently knew about the problem since at least November 2019, when it responded to a user query explaining that it couldn't control what Google did.
What happened next shows just how difficult it is to remove information from the internet once it's there. WhatsApp inserted a noindex code into group chat links (which it should have done in the first place), causing Google to stop crawling them. They gradually vanished from Google search results, but security researchers found that they were still being indexed by other services. There were 60,000 of them still online, they said. Let's also not forget that web archiving services keep public sites around long after they have been deleted or de-indexed.
This isn’t the first time that inadvertently publishing a link to a private online resource has created problems. Users of popular online Kanban board service Trello had been publishing sensitive personal information on boards that anyone could find with a simple online search. That story surfaced nearly two years ago, and searches are still turning up today.
Problems like these are arguably down to the users. Trello boards are private by default and it takes a user action to make them public. Similarly, if users hadn't posted the links publicly in the first place, they wouldn't have been indexed and their group chat members wouldn't have been put at risk.
In reality, users constantly do things they shouldn't and aren't likely to stop anytime soon, which means it's up to CISOs to put policies in place. These should dictate what services are appropriate for their employees to post sensitive information on, and banning any discussions involving work information outside of those services. Whitelisting those services permitted on the network is also a good idea.
