There are only a few things that you might not be able to find on the popular search engine Google but never in your worst nightmare could you imagine that your phone number pops up on the platform for the world to see.
It seems the worst has come true indeed as a bug-bounty hunter Athul Jayram has found a bug in WhatsApp that posts the number of the messaging app’s user on Google.
Speaking to Threatpost, Athul said that a bug in WhatsApp’s Click to Chat feature was putting the users’ number on Google Search to index them.
What is Click to Chat Feature?
The Click to Chat feature on WhatsApp allows a user to message someone on WhatsApp without having to save their number in the phone’s contact.
The feature was introduced in 2018 and allows a user to have a conversation with another user without dialling or saving their number.
It mostly works by associating a QR code with the person’s contact number so that anyone can scan the code and directly message the person without having to save the number.
The visitor then gains access to the phone number once the call has been made.
The Problem With This Feature
The biggest problem with the Click to Chat feature is that Google’s search engine also indexes the features metadata which lands the mobile number on Google.
As per Athul, the phone numbers are revealed as part of a URL string (https://wa.me/<phone_number>) and this subsequently leaks the mobile phone numbers of WhatsApp users in plaintext.
What’s worse is that you cannot revoke it.
He also argues that this system makes it easier for spammers to collect phone number through this process to spam them.
Using a specifically crafted search mechanism of the domain https://wa.me, Athul said that he had found more than 3,00,000 WhatsApp numbers that Google had indexed.
What’s even more disturbing is that he could also see the profile pictures of the users and any hacker can reverse search the image on Google and track down where the person lives.
WhatsApp’s Response
The researcher had discovered the bug on 23 May and then contacted Facebook.
WhatsApp acknowledged that the app was a part of the data abuse bounty program however since the researcher’s report merely contained a search engine index of URLs that WhatsApp users chose to make public, their report was denied.
“While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button,”WhatsApp Spokesperson to The Quint
“Our Click to Chat feature, which lets users create a URL with their phone number so that anyone can easily message them, is used widely by small and microbusinesses around the world to connect with their customers.”, it added.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)