WhatsApp may have leaked your number on Google, claims cybersecurity researcher
Abug in WhatsApp might have caused the Facebook-owned messaging app to leak the phone numbers of users on Google Search. As per a cybersecurity researcher, the WhatsApp bug has exposed the phone numbers of around 29,000 to 300,000 users online. This bug has arisen due to a Click to Chat feature on WhatsApp, however, the researcher claims that the issue is not very serious.
“WhatsApp web portal has leaked around 29,000 3,00,000 WhatsApp user’s mobile numbers in plain text accessible to any internet user. What makes this finding easy or appears to be simple is that data is accessible on the open web and not on the dark web,” wrote cybersecurity researcher Athul Jayaram in his blog post
The WhatsApp click to chat feature, which has reportedly exposed the numbers of users, allows users to create a link through which users can get in touch with them directly. Jayaram claims that WhatsApp doesn’t encrypt the phone number so when you share the link, you also accidentally expose the phone number in plaintext.
“Your mobile number is visible in plain text in this URL, and anyone who gets hold of the URL can know your mobile number. You cannot revoke it,” said Jayaram told threat post.
For instance, if you have created a link through Click to Chat and shared it on social media platforms, it also shares the number online. Whoever has access to the link, will also get the phone number. He said due to this glitch, several cybercriminals and fraudsters could target users whose numbers are exposed to Google.
“This privacy issue could have been avoided if Whatsapp encrypted the user mobile numbers as well as by adding a robots.txt file disallowing the bots from crawling their domain and a meta noindex tag on the pages. Unfortunately, they did not do that yet and your privacy may be at stake,” he wrote in his blog.
Jayaram had also approached WhatsApp and Facebook regarding the same but WhatsApp rejected the report. “While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button,” a WhatsApp spokesperson said in a statement to threat post.