WhatsApp Fixed A 'Not-A-Flaw' Issue That Exposed Users' Phone Numbers To The Web

Google WA

To some WhatsApp users, one of the lasts things they want is having their phone numbers that can be tied to their identity, available for anyone to see on the web.

This is exactly what had happened, as discovered by Athul Jayaram. The security researcher conducted site-specific Google searches for numbers on a WhatsApp-owned domain, and found hundreds of thousands of phone numbers popping up for his viewing.

The WhatsApp domain is wa.me. It was created as part of WhatsApp's Click to Chat feature to allow businesses or individuals put links on their websites so that people can easily send them WhatsApp chat messages through mobile apps or WhatsApp's own desktop software.

There was a flaw on this website that allowed search engines to crawl and scan its content, to extract WhatsApp users' numbers to be used as search results.

In a Medium blog post, Athul Jayaram said that:

"Your mobile number is visible in plain text in this URL and anyone who gets hold of the URL can know your mobile number, you cannot revoke it."

"Well, the impact may be unknown people messaging you. Maybe they are marketing executives, cybercriminals, fraudsters targeting you. Depending on your Whatsapp privacy settings if the privacy settings are set to the public they may be already having your profile picture, name, profile status."

As a result of this, more than 300,000 Whatsapp phone numbers were indexed by Google. And in some cases even the message text. URLs packed in redistributable QR codes were also indexed by search engines and pop up in search results.

Jayaram recommends that WhatsApp add a robot.txt file to wa.me and the related api.whatsapp.com to prevent users' phone numbers from being indexed.

Jayaram contacted Facebook about this issue, to then made WhatsApp to fix it a few days later. However, when he tried to collect a bug bounty, he was turned away.

A WhatsApp spokesperson said that the issue didn't actually qualify as a bug because "it merely contained a search engine index of URLs that WhatsApp users chose to make public."

"My phone number is public on the web. No need to implicate WhatsApp," said one person whose number came up in the Google search results.

In other words, wa.me only wanted to become the incomplete Yellow Pages so businesses can better reach their customers through the web.

This appeared on Google search results when querying for WhatsApp users in the UK
This appeared on Google search results when querying for WhatsApp users in the UK.

The popular messaging platform has been repeatedly criticized by security experts for its attitude towards user data. Athul Jayaram revealed exactly that, as the flaw allowed users' phone numbers to be crawled and indexed by search engines.

While WhatsApp fixed the issue, the company that knew this situation didn't consider it a security issue at all.

“While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button,” the spokesperson added.

For this reason, Jayaram said that the best way to avoid this kind of issue is to delete the WhatsApp account and opt for a more secure solution.

It should be noted though, that not all phone numbers listed were used to gain access to WhatsApp.

The numbers were those that have been conversed with website operators. In other words, WhatsApp users who created a simplified link to allow others to chat with them or join a group, were the ones that appeared in search results.

If WhatsApp users never spoken to anyone on WhatsApp except for the people they know personally, they probably not subject to this privacy issue.

Jayaram isn’t the first person to report that WhatsApp phone numbers were visible in Google search results. Previously, WhatsApp landed in a similar controversy this February 2020 when a report discovered that anyone could look up private group links

Published: 
07/06/2020