An independent cybersecurity researcher has discovered that a security bug in Facebook-owned WhatsApp is leaking users’ phone numbers linked to their WhatsApp accounts in Google Search results putting the social messaging site at a risk.
Athul Jayaram who discovered the vulnerability mentioned that the bug in question pertains to WhatsApp’s ‘Click to Chat’ feature, where the links are generated.
WhatsApp’s Click to Chat feature gives users an easy way to initiate to chat with visitors on websites. This feature works by associating a Quick Response (QR) code image, or chatting can be done by clicking on a URL without the visitor having to dial the number itself.
According to Jayaram, the phone numbers of the users who use this feature of Click to Chat, to connect with websites can display in Google Search results, as the search indexes the feature’s metadata.
The phone numbers revealed as part of a URL string (https://wa.me/<phone_number>) is indexed on Google, and the phone numbers are displayed via plain text. This feature “does not encrypt the phone number in the link, as a result, if this link is shared anywhere, your phone number is also visible in plaintext.
This makes it easier for scammers to compile a list of legitimate phone numbers. Jayaram found that the privacy issue in the WhatsApp web portal leaked around 300,000 WhatsApp user’s mobile numbers in plain text making it accessible to any internet user.
“As individual phone numbers are leaked, an attacker can message them, call them, sell their phone numbers to marketers, spammers, scammers,” he told Threatpost.
Jayaram said that since WhatsApp identifies only phone numbers (as opposed to usernames or email IDs), Google Search revealed just the phone numbers and not the identities of the users of the social messaging site. However, this data can be used to access the profiles of WhatsApp users.
“Through the WhatsApp profile, they can see the profile photo of the user, and do a reverse-image search to find their other social-media accounts and discover a lot more about [a targeted individual],” he added.
According to Jayaram, using the combination of a phone number with a name and address could be a powerful starting point for an identity thief. “Most users do use the same profile picture on other social media accounts, the user profiles can be also easily find out,” he said.
He noted that users from the United States, the United Kingdom, India and almost all other countries are affected. “What makes this easy or appears to be simple is that data is accessible on the open web and not on the dark web,” Jayaram said.
After discovering the bug on May 23, Jayaram contacted Facebook via its bug-bounty program and informed them about the issue. However, the company responded by saying that that data abuse is only covered for Facebook platforms, and not for WhatsApp. It also added that the issue is not a bug and the numbers are public because the users wanted them to be.
“Our Click to Chat feature, which lets users create a URL with their phone number so that anyone can easily message them, is used widely by small and microbusinesses around the world to connect with their customers,” WhatsApp said in a statement to the publication.
“While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button.”