Initially spotted journalist Jordan Wildon on Twitter, the backdoor isn’t a flaw in WhatsApp. Rather, the links to the groups have been shared in a public forum, making them open for indexing by Google’s search engine – no matter the intended privacy of the group.
A WhatsApp spokesperson told Motherboard:
"Group admins in WhatsApp groups are able to invite any WhatsApp user to join that group by sharing a link that they have generated. Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website."
Google's public search liaison even weighed in to point out this is just the web behaving like the web:
Search engines like Google & others list pages from the open web. That’s what’s happening here. It’s no different than any case where a site allows URLs to be publicly listed. We do offer tools allowing sites to block content being listed in our results: https://t.co/D1YIt228E3— Danny Sullivan (@dannysullivan) February 21, 2020
So the moral of the story is that if you’re an admin for a WhatsApp group, don’t post the link on your public Facebook page or blog because at some point you might well get someone snooping on your phone number or trying to join, all from a simple Google search.