A cybersecurity researcher named Athul Jayram has found a WhatsApp bug that prompts thousands of phone numbers to appear on Google search. The flaw in the WhatsApp web portal has affected users from countries like India, the US and the UK, among others. Athul has revealed that the bug is part of the app’s Click to Chat feature which puts a user's number on Google Search to be indexed.
The ‘Click to Chat’ is a feature that allows users to initiate a WhatsApp conversation with another user without having to save their phone numbers in the phone’s address book.
The feature was introduced two years ago and is especially convenient for business communication. It also allows websites to chat with their visitors where the visitors wouldn’t need to dial in the phone number. The process essentially works by creating QR codes or URL links for users that can be used by anyone to reach them using WhatsApp. Once the call is made, the visitor gets access to the person’s phone number.
The biggest flaw of the ‘Click to Chat feature’ is that Google’s search engine also adds their phone number to Google’s search index by indexing the feature’s metadata. According to Athul, who is a cybersecurity researcher, a user’s mobile number gets revealed as part of a URL string which goes on to leak the phone numbers for that particular WhatsApp user in a plaintext. However, the worst part is that it can’t be revoked.
The researcher also stated that the system actually makes it much easier for spammers to collect a user’s mobile number to spam them. He further added that over 3,00,000 phone numbers have been leaked on Google Search in plain text. What makes it all the more disturbing is that he was also able to view the profile pictures of WhatsApp users. This can actually make it easier for a hacker to perform a reverse search on an image on Google to track down the user’s location.
Athul discovered the bug on May 23 and contacted Facebook regarding the issue. The company responded that the issue does not qualify for a bug bounty as only Facebook platforms were part of the bounty program. Additionally, the company suggested that it isn’t that big a deal as users choose to make the information public.
Image credits: Allie Smith | Unsplash