Phone numbers of many WhatsApp users available in Google search: Report

These related to WhatsApp 'click to chat' feature, where users can generate links to invite others

The phone numbers of several users of instant messaging platform WhatsApp's ‘click to share’ feature may have been exposed on Google search. These mobile numbers are available on Google search in plain text format, according to independent cybersecurity researcher Athul Jayaram.

“WhatsApp web portal has leaked 29,000-3,00,000 WhatsApp user’s mobile numbers in plain text accessible to any internet user. What makes this finding easy or appears to be simple is that data is accessible on the open web and not on the dark web,” wrote Jayaram in his blogpost that was reported by Threatpost.

He added, “This privacy issue could have been avoided if Whatsapp encrypted the user mobile numbers as well as by adding a robots.txt file disallowing the bots from crawling their domain and a meta noindex tag on the pages. Unfortunately, they did not do that yet and your privacy may be at stake.”

Explaining the issue, Jayaram said that the vulnerability is part of WhatsApp ‘click to chat’ feature where user can generate link to invite others. According to Jayaram, WhatsApp does not encrypt the phone number in the link, as a result, if the link is shared anywhere, the phone number is also visible in plaintext.

For example, if a user shares a “click to chat” link on social media platform, it goes with the mobile number mentioned on it in. Anyone with access to the link might, therefore, be able to see the user’s phone number. Moreover, the URLs are accessed by Google Bots for search indexing. Therefore, the link appears in Google search results even if the original post has been removed from the source.

“This is because https://wa.me do not have a robots.txt file in its server root, which means you cannot stop Google or other search engine bots from crawling and indexing the wa.me links, which means those links will stay in the web. The pages do not have noindex meta tags to prevent any search engines from indexing the links,” said Jayaram.

Jayaram, apparently, raised the issue with Facebook, which reportedly said the “data abuse is only covered for Facebook platforms and not WhatsApp”.

“Our Click to Chat feature, which lets users create a URL with their phone number so that anyone can easily message them, is used widely by small and microbusinesses around the world to connect with their customers. While we appreciate this researcher’s report and value the time that he took to share it with us, we have let the researcher know that his report does not qualify for a bounty since it merely contains a search engine index of URLs that WhatsApp users chose to make public themselves. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button,” said a WhatsApp spokesperson.

WhatsApp added: "We also let him (the researcher) know that a mitigation was already in place for this and the results he found were old results that were cached by the search engine, and would be removed as the site continued to re-index websites and discovered the no-index tag.