Recently, a security bug was discovered in WhatsApp which compromised user’s phone numbers. Read on to know more about it…
WhatsApp numbers of random users showed up on Google because of the Facebook’s “Click to Chat” feature that helps generate dedicated links of user profiles. A researcher, who claims to have discovered the development, calls it a privacy issue and says that it leaks nearly three lakh phone numbers of WhatsApp users in plaintext. However, the issue isn’t as serious as it is being portrayed in the media as it only makes the phone numbers of those users searchable on Google who have chosen to make them public by generating their links. Also, no names or other private details are popping in Google Search.
Click to Chat Feature
The Click to Chat feature of WhatsApp allows you to create a link through which someone can connect with your WhatsApp profile directly. This omits the need of adding a phone number to your contact list to chat and gives a way to connect with individuals on the messaging app directly by using a link that includes the phone number of the WhatsApp contact.
WhatsApp has the Click to Chat feature for quite some time, and it’s been used by several businesses to connect with their customers without requiring them to store their numbers.
The issue was first reported by WhatsApp features tracker WaBetaInfo in February this year — around the same time when people found WhatsApp group chat invite links being indexed by Google Search. The group invite issue was fixed shortly after it came in the headlines as it could have allowed random people join private groups.
The phone number indexing is now back in news because researcher Athul Jayaram claims to “have discovered this privacy issue,” even though it has been known for a while in the wild.
Jayaram noted in a post on Medium that the mobile numbers associated with the links created through the Click to Chat feature are visible on Google Search as WhatsApp hasn’t restricted search engines to index the domain wa.me that is used for those links. He also mentioned that various marketing executives, cybercriminals, and fraudsters could target the users whose numbers are visible on Google through the indexing of the wa.me links.
However, it’s crucial to note that apart from phone numbers, Google does not have a record of any other personal data of users who’ve used the Click to Chat feature of WhatsApp. Jayaram in some cases found that he was able to notice profile pictures and profile statuses of the users whose numbers are visible on search results. However, those details are only available if the users have set their visibility for everyone and one has to open each contact inside the WhatsApp to see their profile picture, an arduous task.
Jayaram reached WhatsApp parent Facebook last month to report his discovery under a bug-bounty programme. However, he said that the social networking giant rejected his report by saying that its Data Abuse Bounty programme doesn’t cover WhatsApp.
Jayaram noted in his post that WhatsApp should care about the issue and avoid it by disallowing the bots from crawling user links and encrypting the mobile numbers of its users who have created links using the Click to Chat feature.
WhatsApp has seemingly resolved the issue that was causing phone numbers to show up on Google. We can confirm that the numbers are not visible in search results anymore. The fix comes days after a researcher revealed that the phone number of WhatsApp i users who created a simplified link to allow others to chat with them or join a group appeared in search results.