Athul Jayaram, an independent cybersecurity researcher highlights that the phone number of several WhatsApp users is searchable in plain text on Google Search. Jayaram published a blog post explaining that he has found a privacy issue in the web portal of WhatsApp. According to Jayaram, the privacy issue has leaked around 29,000 to 30,000 phone numbers of WhatsApp users in plain that can be accessed by any person using the internet.
According to Jayaram, users who are affected are from almost all countries including the US, Mexico, Indonesia, UK, India, Russia, China, Spain, Pakistan, Malaysia and many more. According to Jayaram, the thing that makes this easy or seems to be simple is that the information can be accessed on the open web, and not on the dark web. He also contacted the WhatsApp parent company Facebook for this issue. He informed Facebook about the privacy issue he has discovered. The social media company replied to Jayaram that data abuse is only covered for Facebook platforms and the company does not cover data abuse for WhatsApp.
While suggesting a solution, Jayaram stated that the company could have avoided this privacy issue if WhatsApp encrypted the phone numbers of users as well as by including a robots.txt file. This would have disallowed the bots from crawling the domain as well as a Meta no-index tag on the pages. However, WhatsApp, unfortunately, did not do that, and privacy of WhatsApp users may be at stake, Jayaram added.
He also said that WhatsApp should care about security vulnerabilities as the platform has a huge user base. Nowadays, the phone numbers of a lot of people are connected to their online services, bank accounts, Credit cards, and cryptocurrency wallets, etc. If a hacker knows the phone numbers of people, there is a possibility that it can lead a hacker to perform SIM card swapping and perform cloning attacks.
According to Jayaram, there is a ‘click to chat’ feature in WhatsApp, and links are generated as "https://wa.me/1XXXXXXXXXX" in this feature. The said feature does not encrypt the mobile number of users in the generated link. Jayaram explained that if this link is shared anywhere, the mobile number of the user becomes visible in the plain text.
For example, if you share a ‘click to chat’ link with your friend on any social platform such as Facebook or Twitter, your phone number will appear in plain text in the Uniform Resource Locator (URL) as well as to anyone who can find the URL. If you have deleted the original source of the link, your mobile number will still be accessible on Google because Google bot would have crawled and indexed the URL before you would have deleted the link.
Jayaram explained that as the ‘https://wa.me’ does not contain the robots.txt file in the server root, Google bots cannot be stopped from crawling the URL. Moreover, any search engine can index these links as the pages do not contain Meta no-index tags.
Due to this privacy issue, unknown individuals, cybercriminals, marketing executives, and fraudsters may find users mobile number. If you have set your WhatsApp privacy settings to public, this privacy issue may help scammers access your details such as profile status, name, or profile picture, etc. Jayaram recommended that the best solution is to delete your WhatsApp account or change your phone number.
Search site:wa.me with your country code on Google Search to see which phone numbers are available on the web publicly.
A similar incident also happened with Private Whatsapp groups in February of this year, however, back then Facebook tweaked a few settings on its side to stop the indexation of private groups chat links in search engines, we hope the social media giant will take quick actions this time too. And hopefully it'll review all other data leaking aspects of its app to prevent any such mishaps in the future.
Read next: Scammers to Emoji Lovers: 6 of the most Common Types of Users on WhatsApp!
According to Jayaram, users who are affected are from almost all countries including the US, Mexico, Indonesia, UK, India, Russia, China, Spain, Pakistan, Malaysia and many more. According to Jayaram, the thing that makes this easy or seems to be simple is that the information can be accessed on the open web, and not on the dark web. He also contacted the WhatsApp parent company Facebook for this issue. He informed Facebook about the privacy issue he has discovered. The social media company replied to Jayaram that data abuse is only covered for Facebook platforms and the company does not cover data abuse for WhatsApp.
While suggesting a solution, Jayaram stated that the company could have avoided this privacy issue if WhatsApp encrypted the phone numbers of users as well as by including a robots.txt file. This would have disallowed the bots from crawling the domain as well as a Meta no-index tag on the pages. However, WhatsApp, unfortunately, did not do that, and privacy of WhatsApp users may be at stake, Jayaram added.
He also said that WhatsApp should care about security vulnerabilities as the platform has a huge user base. Nowadays, the phone numbers of a lot of people are connected to their online services, bank accounts, Credit cards, and cryptocurrency wallets, etc. If a hacker knows the phone numbers of people, there is a possibility that it can lead a hacker to perform SIM card swapping and perform cloning attacks.
According to Jayaram, there is a ‘click to chat’ feature in WhatsApp, and links are generated as "https://wa.me/1XXXXXXXXXX" in this feature. The said feature does not encrypt the mobile number of users in the generated link. Jayaram explained that if this link is shared anywhere, the mobile number of the user becomes visible in the plain text.
For example, if you share a ‘click to chat’ link with your friend on any social platform such as Facebook or Twitter, your phone number will appear in plain text in the Uniform Resource Locator (URL) as well as to anyone who can find the URL. If you have deleted the original source of the link, your mobile number will still be accessible on Google because Google bot would have crawled and indexed the URL before you would have deleted the link.
Jayaram explained that as the ‘https://wa.me’ does not contain the robots.txt file in the server root, Google bots cannot be stopped from crawling the URL. Moreover, any search engine can index these links as the pages do not contain Meta no-index tags.
- Also read: This Simple Hack Will Let You Enable Dark Mode on Whatsapp Web (Without Any Third-Party Extension)
Due to this privacy issue, unknown individuals, cybercriminals, marketing executives, and fraudsters may find users mobile number. If you have set your WhatsApp privacy settings to public, this privacy issue may help scammers access your details such as profile status, name, or profile picture, etc. Jayaram recommended that the best solution is to delete your WhatsApp account or change your phone number.
Search site:wa.me with your country code on Google Search to see which phone numbers are available on the web publicly.
A similar incident also happened with Private Whatsapp groups in February of this year, however, back then Facebook tweaked a few settings on its side to stop the indexation of private groups chat links in search engines, we hope the social media giant will take quick actions this time too. And hopefully it'll review all other data leaking aspects of its app to prevent any such mishaps in the future.
Read next: Scammers to Emoji Lovers: 6 of the most Common Types of Users on WhatsApp!
