WhatsApp Bug Leaked Personal Phone Numbers in Google Search Results
Recently, a security researcher has warned about a security threat posed by the WhatsApp messenger known as ‘Click to Chat’ this function allows Google to index the phone numbers of users, and all the indexed numbers can be easily found by anyone on the search engine.
The security researcher, who reported about the “Click to Chat” security flaw, Mr. Athul Jayaram cleared that, this flaw allows the sites to quickly initiate the WhatsApp conversations with their visitors.
In short, the function generally works by assigning a QR code to the phone number of the resource owner.
Here the site visitor just required to scan the QR code or click on the URL, and the dialogue in WhatsApp will begin. Moreover, there is no need to enter a phone number, but when the conversation begins, the user still has access to it.
“Here, the problem is that these numbers then go to Google, as the search engine indexes the metadata of the ‘Click to Chat.’ And then the phone number is included in the URL string (https://wa.me/<phone_number>), which leads to its leak” according to the security researcher, Athul Jayaram.
In short, it’s one of the lucrative options for the Spammers, as this security hole will allow them to easily create well-structured databases of original phone numbers to use them for their personal malicious campaigns.
Moreover, Athul clearly announced and reported that he managed to discover about 300,000 valid phone numbers from the search engine, as they are already indexed in Google.
Though the phone numbers are not tied to the names of their owners, but, here the fact is that the attackers can still find out to whom they belong.
If you click on the URL with a phone number in Google’s search results, a user’s profile will open along with the photo. An attacker can use the search in the picture and collect enough data about the potential victim.
WhatsApp Rejected This Bug for Bug Bounty
The security researcher, Athul Jayaram, told WhatsApp about its finding, but the company clearly refused his discovery to consider it as a security flaw. According to a WhatsApp spokesperson, here, the users themselves chose to make their phone numbers public.
Moreover, they have also cleared that the bug bounty program covers the Facebook platforms only, while WhatsApp is just a part of it. Apart from this, here’s what the public mediator of Google, Danny Sullivan said in his Twitter handler:-
New: Google is letting anyone find invite links to some private WhatsApp groups. Here is one we joined that is supposed to be for United Nations NGOs judging by its description. Can see members and get numbers https://t.co/TzWjqQmm2P pic.twitter.com/jda25POc0h— Joseph Cox (@josephfcox) February 21, 2020
But, still, the security researcher, Athul Jayaram, cleared his views on the flaw and strongly recommended WhatsApp to immediately encrypt the mobile phone numbers of all its users, and append a robots.txt file to forbid the bots from crawling their domain on which this resource is available.
WhatsApp has been resolved this issue soon after reported this bug and revealed it online.
WhatsApp spokesperson said, “a WhatsApp spokesperson said that this feature, called Click to Chat, is designed to help users, especially small and micro businesses around the world connect with their customers.”
“While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button,”