WhatsApp is one of the most popular messaging apps in the world with over a billion users. Now, a security researcher has found a flaw with WhatsApp that has exposed some phone numbers through Google search.
Athul Jayaram, an independent security researcher from India, explains in a post on Medium (via Android Central) that WhatsApp’s “Click to Chat” feature has been exposing phone numbers to the public. The Click to Chat feature is designed for businesses, offering a quick link for users to click to start a conversation between a business and a customer. These links are generated using the wa.me shortlink.
The feature sound innocent enough, but it seems to have had an unintended consequence. The links apparently store phone number data in plain text, not encrypting the data at all. This would be fine if they were hidden, but the web pages associated with those links aren’t using the “noindex” metadata to avoid being scooped up by search engines.
What does that mean? For up to 300,000 WhatsApp users who used the “Click to Chat” feature, their phone number may be easily discoverable on Google search. This issue seems to have occurred in all regions including the United States, India, and more. The “leaked” pages contain not only phone numbers, but also profile pictures of those users as well. Finding the data was as simple as using “site:wa.me” in Search and inputting an area code afterward.
It’s important to note that Google is by no means at fault here. The search engine is just doing its job, indexing the web and making that data relatively easy to find.
Realistically, this issue was low-risk for many users, but it’s still good to know that WhatsApp/Facebook have already patched things up.
More on WhatsApp:
- WhatsApp’s latest stickers promote social distancing amid coronavirus pandemic
- Latest WhatsApp beta adds QR codes for easy profile and contact sharing
- WhatsApp rolls out Facebook Messenger Rooms integration
FTC: We use income earning auto affiliate links. More.