WhatsApp exposed users' phone numbers in Google search results

Security researcher claims 'Click to Chat' feature revealed as many as 300,000 phone numbers via public search

WhatsApp, Web app, Messaging

Facebook-owned messaging service WhatsApp exposed as many as 300,000 users' phone numbers through public Google search results.

That's according to India-based researcher Athul Jayaram, who revealed that WhatsApp's 'Click to Chat' feature – a tool that allows users and small businesses to generate a URL through which other users can get in touch with them directly – does not use encryption to hide the user’s phone number in its link.

Advertisement - Article continues below

This "privacy lapse" means that some 300,000 phone numbers appeared in Google search results if someone looked up for “site:wa.me”.

"This feature does not encrypt the phone number in the link, as a result, if this link is shared anywhere, your phone number is also visible in plaintext," Jayaram said.

"For example, you share this link with a friend on Twitter to reach you on WhatsApp. Your mobile number is visible in plain text in this URL and anyone who gets hold of the URL can know your mobile number, you cannot revoke it."

This is because the 'https://wa.me' URL does not have a robots.txt file in its server root, which means Google and other search engine bots can not be prevented from crawling and indexing the links.

The Google listings didn’t reveal any other personal information, though Jayaram claims he could view the pictures and names of people who hadn’t made their data private through WhatsApp’s security options.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Users affected are from the UK, US, India and "almost all other countries".

Jayaram reported the issue to WhatsApp owner Facebook through its bug-bounty scheme, though the company said the disclosure did not quality for a reward.

Related Resource

IT Pro 20/20: How regulation is shaping innovation

The fifth issue of IT Pro 20/20 looks at how new rules are forcing companies to change the way they do business

Download now

"While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public," a spokesperson said. "All WhatsApp users, including businesses, can block unwanted messages with the tap of a button."

Jayaram, however, believes the firm should take the disclosure more seriously: “Today, your mobile number is linked to your Bitcoin wallets, Adhaar, bank accounts, UPI, credit cards…[allowing] an attacker to perform SIM card swapping and cloning attacks is another possibility,” he said.

News of this security lapse comes just weeks after researchers revealed that WhatsApp users were susceptible to shoulder surfing attacks due to the way the service restores accounts to new devices, with hackers able to compromise individuals using just their phone number.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement

Most Popular

Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/cloud/356260/the-road-to-recovery
Sponsored

The road to recovery

30 Jun 2020