Facebook-owned instant messaging platform WhatsApp may have exposed its users’ phone number on Google search owing to a vulnerability in its ‘click to share’ feature. The mobile numbers of users are available on Google search in plain text format, according to an independent cybersecurity researcher Athul Jayaram.
“WhatsApp web portal has leaked around 29,000 – 3,00,000 WhatsApp user’s mobile numbers in plain text accessible to any internet user. What makes this finding easy or appears to be simple is that data is accessible on the open web and not on the dark web,” wrote Jayaram in his blogpost that was reported by Threatpost.
He added, “This privacy issue could have been avoided if Whatsapp encrypted the user mobile numbers as well as by adding a robots.txt file disallowing the bots from crawling their domain and a meta noindex tag on the pages. Unfortunately, they did not do that yet and your privacy may be at stake.”
Explaining the issue, Jayaram said that the vulnerability is part of WhatsApp ‘click to chat’ feature where user can generate link to invite others. According to Jayaram, WhatsApp does not encrypt the phone number in the link, as a result, if the link is shared anywhere, the phone number is also visible in plaintext.
For example, if a user shares a “click to chat” link on social media platform, it goes with the mobile number mentioned on it in. Anyone with access to the link might, therefore, be able to see the user’s phone number. Moreover, the URLs are accessed by Google Bots for search indexing. Therefore, the link appears in Google search results even if the original post has been removed from the source.
“This is because https://wa.me do not have a robots.txt file in its server root, which means you cannot stop Google or other search engine bots from crawling and indexing the wa.me links, which means those links will stay in the web. The pages do not have noindex meta tags to prevent any search engines from indexing the links,” said Jayaram.
Jayaram, apparently, raised the issue with Facebook, which reportedly said the “data abuse is only covered for Facebook platforms and not WhatsApp”.