WhatApp has always had security vulnerabilities.
The social messaging app, to its credit, has been addressing them regulalrly. And once more WhatsApp needs to get its firefighting act right, as an independent cybersecurity researcher from India and a bug bounty hunter has come up with the serious allegation that the mobile numbers of many WhatsApp users are available via a simple Google search.
But as of now, Facebook, which owns WhatsApp, has brazened it out saying, the search results only reveal what the users have chosen to make public anyway.
The researcher, Athul Jayaram, has claimed that WhatsApp web portal has leaked around 29000–300000 WhatsApp users’ mobile numbers in plaintext accessible to any internet user in plaintext.
“Users affected are from United States, United Kingdom, India and almost all other countries. What makes this easy or appears to be simple is that data is accessible on the open web and not on the dark web,” Jayaram alleges.
Jayaram says a bug in WhatsApp’s Click to Chat feature was putting the phone numbers of the users of the social messaging site at a risk by allowing Google Search to index them.
Click to Chat allows users to initiate a WhatsApp chat with another user without saving their phone numbers in the sender’s address books. This allows websites to interact with their visitors without having the visitor to dial in the phone number.
Do you remember when Whatsapp groups were available on the internet using the Google search? Well, now phone numbers are: pic.twitter.com/lYC8ACV7oWJune 7, 2020
Messages too could be leaked
Facebook removed the feature to search users with their phone numbers a year ago due to privacy risk and impact leaking phone numbers. But a few days back, WhatsApp launched a new feature where friends can add you to their list by scanning a QR code.
Jayaram says that the phone numbers of those who use this feature to connect with websites can show up in Google Search results as the search indexes the feature’s metadata. He says that users’ phone numbers are visible in plain text in the URL — https://wa.me/<phone_number>.
Of course, this would be a bonanza for online scamsters.
“Depending on your Whatsapp privacy settings if the privacy settings are set to the public they may be already having your profile picture, name, profile status. As they have your mobile number, they may do SMS, calls. The best way to avoid the situation maybe to delete your Whatsapp account or change your mobile number,” he warns.
The leaked whatsapp numbers of any country can be found using the google search query site:wa.me “<country_code>”. For example, Indian mobile numbers can be accessed on Google by typing: site:wa.me “+91” on the search bar.
Most users tend to have the same profile picture on their other social media accounts. Hence, their other details can be also easily found out. Worryingly, Jayaram alleges, “Some users have their messages leaked as well, probably they used the Web API to communicate and those links got crawled.”
The industry norm is any leak of user data especially of multiple users has to be addressed quickly.
Google this – site:https://t.co/lQejnYDjvs “+91″You will end up with thousands of @WhatsApp Numbers that I guess shouldn’t be publicly available. Wonder if @Whatsapp will fix this or its kept like this on purpose?Fun Fact, this works for almost every country. 🤯 pic.twitter.com/g8MtotmxW5June 7, 2020
WhatsApp seems unconcerned
When Jayaram contacted the Facebook team, they reportedly told him that data abuse is only covered for Facebook platforms and not for WhatsApp.
Facebook’s approach is a bit puzzling. Today, mobile number is key to any individual, as it is linked to one’s Bitcoin wallets, Aadhaar, bank accounts, UPI, credit cards. Any velunerability on this front can be disastrous for users, both financially and personally.
This privacy issue could have been avoided if Whatsapp encrypted the user mobile numbers as well as by adding a robots.txt file disallowing the bots from crawling their domain and a meta noindex tag on the pages, Jayaram says.
WhatsApp has been quoted by this report as saying: “While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button.”