Your WhatsApp-linked number could show up in Google Search
What's the story
Your WhatsApp-linked number, maybe even name and email address, could be leaking through Google Search. A security researcher has flagged a critical vulnerability in the Facebook-owned messaging service - an issue that can allow anyone to look up the above-mentioned information on Google and create a database for social engineering-based attacks. Here is all you need to know about it.
Issue
Problem with WhatsApp's 'Click to Chat' feature
The bug in question, as security researcher Athul Jayaram explained to Threatpost, pertains to WhatsApp's Click to Chat feature, which allows businesses to create a link or QR for their WhatsApp number. The function is widely used by small and medium businesses to link their WhatsApp contact number on their website and let any visitor directly chat with them, without even knowing their number.
Search
These numbers are indexed by Google
While the feature works seamlessly, Jayaram noted that its behavior is such that WhatsApp numbers, using the Click to Chat feature and linked to websites, are automatically indexed by search engines. This, he said, quietly exposes those WhatsApp numbers as well as other account-related data like name and email (in some cases) in plain text on Google and other search engines.
Leak
Anyone could dig up WhatsApp numbers
WhatsApp numbers using Click to Chat are indexed as part of the (https://wa.me/...) URL. This means you could use a specially crafted search string of the domain https://wa.me/ to discover the numbers. Jayaram was able to use the string to mine as many as 300,000 WhatsApp numbers, while we at NewsBytes were able to dig up dozens using the same trick.
Concern
This could be used for major attacks
In our search, which was personalized for Indian numbers, most WhatsApp accounts that showed up were business accounts maintained by retailers, institutes, and other small businesses. Many of them even had their business location and email on display. This kind of data could be easily compiled to carry out sophisticated phishing attacks and trick these people into giving away money or more information.
Response
Meanwhile, WhatsApp says it is not an issue
When contacted, WhatsApp said it is not a bug and the numbers are public because the users wanted them to be. "While we appreciate this researcher's report... it merely contained a search engine index of URLs that WhatsApp users chose to make public," the company told Threatpost. "All WhatsApp users, including businesses, can block unwanted messages with the tap of a button," it added.