While WhatsApp is becoming popular for online businesses, especially amidst the global lockdown due to COVID-19, a glitch has raised privacy concerns. Reportedly, a WhatsApp bug exists in the ‘Click to Chat’ feature that leaks users’ numbers in Google Search results.
WhatsApp Numbers In Google Search
A security researcher Athul Jayaram has caught a trivial bug in WhatsApp leaking users’ phone numbers in Google Search.
The bug basically affects the ‘Click to chat’ feature offered by WhatsApp. This feature supposedly helps a visitor communicate with a site, such as, to seek assistance while shopping on an e-store. It’s just like a quick chat feature with the website support team. The site visitor can directly communicate without having to dial the site’s relevant personnel’s WhatsApp number.
While that’s a useful feature, Jayaram discovered that this feature is eventually making all WhatsApp numbers appear in Google Search. In fact, Google clearly indexes all such phone numbers, which is certainly a privacy breach. This happens because Google indexes the metadata of ‘Click to Chat’. Thus, the users’ phone numbers also end up being indexed by Google.
Accessing these numbers is also pretty simple for anyone. Simply typing “site:wa.me “<phone_number>” in Google Search will reveal the numbers. To extract a detailed list, typing the area code will reveal all indexed numbers that begin with that code. The following image depicts such a scenario (as checked by LHN).
The domain “wa.me” belongs to WhatsApp.
Potential Risks Of This Glitch
Sharing the details with Threatpost, Jayaram said that such leakage of numbers exposes the users to scammers.
As individual phone numbers are leaked, an attacker can message them, call them, sell their phone numbers to marketers, spammers, scammers.
He could also see the profile pictures of users, doing a reverse-image search of which could reveal users’ identity. This is especially harmful to users who use the same profile picture on other social media accounts too. A hacker may easily exploit all this information.
Through the WhatsApp profile, they can see the profile photo of the user, and a do reverse-image search to find their other social-media accounts and discover a lot more about [a targeted individual]
Upon discovering this matter, the researcher reached out to Facebook via their bug bounty program. However, the officials rejected his report for a bounty.
According to what a WhatsApp spokesperson told Threatpost,
While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button.
Whereas, Google has also already established that it cannot remove specific links from the web. Even if Google removes the links from indexing, they may still appear on other search engines.
This issue is similar to the one reported earlier this year when a researcher found Google indexing WhatsApp and Telegram invite links.
For now, there seems no technical fix for the matter, except that the users should remain very careful while using ‘Click to chat’. They should be aware that using this feature might land their numbers on Google Search results.