According to a new report – called WhatsApp, Doc?A First Look at WhatsApp Public Group Data – WhatsApp may not be as secure as many users think it is. The report, which was pulled together by researchers from both EPFL, Switzerland and Queen Mary University, show that the app's Group Chat feature is actually vulnerable to data scraping. Specifically, the data shared in a group that's been made public can be stolen by any user in the group – including identifying information such as phone numbers and more. While that may not seem like such a big deal at first glance, it's important to remember that groups that are made public can be linked into and that those links are discoverable online.
That's down to the fact that users can share the link to a public Group Chat for others to join the chat. Since chats can hold up to 256 members, with the task of keeping track of authenticity becoming more difficult the more members are added, there's a lot of opportunities there for enterprising would-be data thieves. In fact, the researchers behind the paper were able to glean phone numbers, images, videos, and web links shared across almost 454,000 messages from 178 public groups used by 45,794 WhatsApp users over just six months. Presumably, some of that is pulled from Android users as well. It stands to reason that any bad actors looking to do the same could very easily accomplish a similar goal. Users also don't need to send very many messages to end up at risk. As many as 75-percent of those users who inadvertently were included in the study sent only 5 messages on average. Meanwhile, more than 30-percent of those groups sent less than 1000 messages in total over that six-month period.
The primary thing that all of these groups had in common is also the thing that put them at risk. It's also hardly surprising given that earlier reports showed other areas where the chats are vulnerable. Namely, they were public groups or groups that had been made public by a user from the group sharing the link to the group on the internet. There are also websites that actively archive indexes of public groups, according to the researchers. That means that any public group that's joinable by a link is effectively at risk.