Your WhatsApp-linked number could show up in Google Search

The bug in question, as security researcher Athul Jayaram explained to Threatpost, pertains to WhatsApp's Click to Chat feature, which allows businesses to create a link or QR for their WhatsApp number.

The function is widely used by small and medium businesses to link their WhatsApp contact number on their website and let any visitor directly chat with them, without even knowing their number.

While the feature works seamlessly, Jayaram noted that its behavior is such that WhatsApp numbers, using the Click to Chat feature and linked to websites, are automatically indexed by search engines.

This, he said, quietly exposes those WhatsApp numbers as well as other account-related data like name and email (in some cases) in plain text on Google and other search engines.

WhatsApp numbers using Click to Chat are indexed as part of the (https://wa.me/...) URL.

This means you could use a specially crafted search string of the domain https://wa.me/ to discover the numbers.

Jayaram was able to use the string to mine as many as 300,000 WhatsApp numbers, while we at NewsBytes were able to dig up dozens using the same trick.

In our search, which was personalized for Indian numbers, most WhatsApp accounts that showed up were business accounts maintained by retailers, institutes, and other small businesses. Many of them even had their business location and email on display.

This kind of data could be easily compiled to carry out sophisticated phishing attacks and trick these people into giving away money or more information.

When contacted, WhatsApp said it is not a bug and the numbers are public because the users wanted them to be.

"While we appreciate this researcher's report... it merely contained a search engine index of URLs that WhatsApp users chose to make public," the company told Threatpost.

"All WhatsApp users, including businesses, can block unwanted messages with the tap of a button," it added.