A feature that is baked into WhatsApp is causing user phone numbers to be posted online. However, it is unclear if this is a bug in the Facebook-owned tool or just part of the “Click to Chat” feature. Either way, a security researcher points out phone numbers are being indexed by Google Search and can be openly found by anyone.
According to security researcher and bug bounty participant Athul Jayaram, The numbers were leaked as part of a security bug. However, it still remains unclear and WhatsApp has not said whether this is a vulnerability or not.
Looking at the Click to Chat feature, it allows websites to start WhatsApp conversations with visitors. Those visitors use a QR code to connect to the WhatsApp phone number used by the website. It's an efficient way of communication on the platform without the user having to input the phone number and create a contact.
Jayaram points out the phone numbers websites use to set up Click to Chat are showing up on Google Search. Google surfaces results to the URL “https://wa.me/<phone_number>) which is a WhatsApp-owned domain,
“Your mobile number is visible in plain text in this URL, and anyone who gets hold of the URL can know your mobile number. You cannot revoke it,” said Jayaram, in a conversation with ThreatPost.
Searching across a search terms with the https://wa.me/ domain, he found 300,000 WhatsApp phone numbers on Google Search. Jayaram thinks this could allow attackers to mount more accurate threat campaigns against users.
“As individual phone numbers are leaked, an attacker can message them, call them, sell their phone numbers to marketers, spammers, scammers,” he said.
It is worth noting WhatsApp only asks for a user's phone number and no other information. The platform also encrypts all messages. In other words, the only leaked information possible is a user's phone number. However, Jayaram points out he could also see user profile photos. This could pose a major security risk.
“Through the WhatsApp profile, they can see the profile photo of the user, and a do reverse-image search to find their other social-media accounts and discover a lot more about about [a targeted individual],” he told Threatpost.
Interestingly, some WhatsApp users confirmed they knew their number was visible on searches. This was by design to allow their business contact information to be viewable. That said, Jayaram says many users will not be aware their phone number is visible.