Your mobile number tied to WhatsApp is being indexed publicly on Google Search creating a “privacy nightmare”
What if you wake up one fine day to be inundated by calls, video calls and text messages from total strangers. It will be a nightmare for you, right? This can actually happen to you because your mobile number tied to the WhatsApp you use on your Android smartphone and iPhone is being indexed and displayed publicly on Google Search.
This was discovered by an Indian researcher Athul Jayaram who was surprised to find that Google Search was indexing WhatsApp numbers of users. Athul found that a WhatsApp feature called “Click to Chat” was the culprit here. This particular WhatsApp feature allows Google Search to index the WhatsApp tied mobile numbers. Once it is indexed, anybody in the world can find your number through a little bit of Googling.
What’s weirder is that WhatsApp owner Facebook knows about this. Facebook says that Google indexes the mobile numbers of such WhatsApp users because they have chosen to make the numbers public anyway.
Athul has other views about the matter and calls the phone numbers “leaked” and says that the security bug puts WhatsApp users’ privacy at risk from hackers, stalkers, and extortionists.
What is WhatsApp Click to Chat feature?
WhatsApp Click to Chat is a feature that websites use to chat with their readers. WhatsApp Click to Chat offers a one-click solution to both the website reader and the website operator to have an interactive chat session. Website visitors just have to scan the WhatsApp Quick Response (QR) code image (created via third-party services) embedded on the website to contact and chat with the website owner’s WhatsApp mobile phone number.
The QR code allows a website visitor to scan the site’s QR code or click on a URL to initiate a WhatsApp chat session – without the visitor having to dial the number itself. This all fine but the problem arises when Google indexes the Click to Chat and displays it on Google search.
Athul found that the user’s WhatsApp linked mobile numbers are available in Google Search results because search engines index Click to Chat metadata. The phone numbers are revealed as part of a URL string (https://wa.me/<phone_number>) and so, this in effect “leaks” the mobile phone numbers of WhatsApp users in plaintext, according to the researcher’s view. Athul notes that the “wa.me” domain is owned and maintained by WhatsApp, according to WHOIS records.
“Your mobile number is visible in plain text in this URL, and anyone who gets hold of the URL can know your mobile number. You cannot revoke it,” Athul told ThreatPost explaining why this is a big privacy issue. Athul says that if he could compile a WhatsApp mobile number database using a simple specially crafted search string or Google Dork, imagine what cybercriminals can do.
Athul used the Google Dork string on domain https://wa.me/ and found that Google indexed a whopping 300,000 WhatsApp phone numbers. Athul says that the WhatsApp Click to Chat indexing feature can lead to abuse, stalking and fraud. And the problem doesn’t stop there.
Athul says because WhatsApp uses mobile numbers as identifiers, the Google Search only revealed the phone numbers and not the identities of users that they were connected to. However, anybody can see the WhatsApp profile including the display picture and the phone number by just clicking on the Google search result. This is enough for a determined hacker to use reverse-image search the user’s profile picture in hopes of collecting enough clues to establish the user’s identity to stalk and abuse them.
“Through the WhatsApp profile, they can see the profile photo of the user, and a do reverse-image search to find their other social-media accounts and discover a lot more about [a targeted individual],”
Athul to Threatpost.
WhatsApp owner Facebook rejected Athul’s Bug Bounty application
After discovering the issue on May 23, Athul reached out to Facebook and WhatsApp security team. However, Facebook responded to him saying that data abuse is only covered for Facebook platforms, and not for WhatsApp. The WhatsApp spokesperson had another explanation for Athul,
While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button.
Athul, though warns WhatsApp users. He has recommended that WhatsApp encrypt user mobile numbers, and add a robots.txt file to disallow bots from crawling their domain. “Unfortunately they did not do that yet, and your privacy may be at stake,” he said. “Today, your mobile number is linked to your Bitcoin wallets, Adhaar, bank accounts, UPI, credit cards…[allowing]an attacker to perform SIM card swapping and cloning attacks by knowing your mobile number is another possibility.”