What you need to know
- A security researcher has discovered that phone numbers of WhatsApp users using the 'Click to Chat' feature were indexed publicly on Google Search.
- The Click to Chat feature lets users chat with someone on WhatsApp even without saving their phone number in their phone.
- Fortunately, the issue appears to have been resolved by WhatsApp.
If you have used WhatsApp's little-known Click to Chat feature, your phone number may have been publicly accessible via a Google search. Athul Jayaram, a security researcher from India, has discovered that the privacy issue in the WhatsApp web portal may have exposed phone numbers of nearly 300,000 WhatsApp users.
The Click to Chat feature, which has been around for a long time now, makes it possible for businesses to create a link to allow their customers to send them a message on WhatsApp. Customers can simply click on the link and start chatting without having to save the phone number in their phone.
WhatsApp generates these links as https://wa.me/, without encrypting the phone numbers present in the link. This makes the phone numbers in the Click to Chat links visible in plaintext on the web, as the pages do not use noindex meta tags to prevent search engines such as Google from indexing the links. As explained by Jayaram in his post on Medium, leaked WhatsApp numbers of users from any country could be found using the google search query site:wa.me "".
Jayaram reported the issue to Facebook through the company's bug-bounty scheme on May 23. However, his application was dismissed as "it only contained a search engine index or URLs that WhatsApp users chose to make public." Even though the application was dismissed, WhatsApp has now fixed the issue, and phone numbers are no longer searchable.
