Your WhatsApp phone number could appear in Google Search
This bug can be used to find a WhatsApp user's other social media accounts.
WhatsApp has a host of features in its arsenal that make it errrrres has a bug that makes a WhatsApp user’s phone number appear in Google Search results.
Bug-bounty hunter Athul Jayaram told Threatpost that a bug in WhatsApp’s Click to Chat feature was putting the phone numbers of the users of the social messaging site at a risk by allowing Google Search to index them. This in turn would allow anyone to search for users’ phone numbers on the web thereby putting them at a great privacy risk.
To give you some brief information about the feature, Click to Chat allows users to initiate a WhatsApp chat with another user without saving their phone numbers in the sender’s address books. This allows websites to interact with their visitors without having the visitor to dial in the phone number.
Now, Jayaram says that the phone numbers of the visitors who use this feature to connect with websites can show up in Google Search results as the search indexes the feature’s metadata. The bug bounty hunter says that users’ phone numbers are visible in plain text in the URL -- https://wa.me/<phone_number> -- making it easier for scammers to compile a list of legitimate phone numbers. He has found 300,000 indexed on Google for far.
“As individual phone numbers are leaked, an attacker can message them, call them, sell their phone numbers to marketers, spammers, scammers,” he said in a statement to the publication.
Furthermore, Jayaram said that since WhatsApp identifies only phone numbers, Google Search revealed just the phone numbers, and not the identities of the users of the social messaging site. However, this information can be used to access users’ profiles
“Through the WhatsApp profile, they can see the profile photo of the user, and do a reverse-image search to find their other social-media accounts and discover a lot more about [a targeted individual],” he added.
The researcher discovered the bug on May 23 following which he contacted Facebook via its bug-bounty program. However, the company responded by saying that WhatsApp was not covered in the company’s data abuse program.
“While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button,” WhatsApp said in a statement to the publication.