WhatsApp has a host of features in its arsenal that make it easy for users to chat with one another. But now, word is that one of those features has a bug that makes a WhatsApp user’s phone number appear in Google Search results.
Bug-bounty hunter Athul Jayaram told Threatpost that a bug in WhatsApp’s Click to Chat feature was putting the phone numbers of the users of the social messaging site at a risk by allowing Google Search to index them. This in turn would allow anyone to search for users’ phone numbers on the web thereby putting them at a great privacy risk.
To give you some brief information about the feature, Click to Chat allows users to initiate a WhatsApp chat with another user without saving their phone numbers saved in the sender’s address books. This allows websites to interact with their visitors without having the visitor to dial in the phone number.
Now, Jayaram says that the phone numbers of the visitors who use this feature to connect with websites can show up in Google Search results as the search indexes the feature’s metadata. The bug bounty hunter says that users’ phone numbers are visible in plain text in the URL — https://wa.me/<phone_number> — making it easier for scammers to compile a list of legitimate phone numbers. He has found 300,000 indexed on Google for far.
“As individual phone numbers are leaked, an attacker can message them, call them, sell their phone numbers to marketers, spammers, scammers,” he said in a statement to the publication.
Furthermore, Jayaram said that since WhatsApp identifies only phone numbers, Google Search revealed just the phone numbers, and not the identities of the users of the social messaging site. However, this information can be used to access users’ profiles
“Through the WhatsApp profile, they can see the profile photo of the user, and do a reverse-image search to find their other social-media accounts and discover a lot more about [a targeted individual],” he added.
The researcher discovered the bug on May 23 following which he contacted Facebook via its bug-bounty program. However, the company responded by saying that WhatsApp was not covered in the company’s data abuse program…Read more>>