WhatsApp numbers of random users are showing up on Google because of the company’s “Click to Chat” feature that helps generate dedicated links of user profiles. A researcher, who claims to have discovered the development, calls it a privacy issue and says that it leaks nearly three lakh phone numbers of WhatsApp users in plaintext. However, the issue isn’t as serious as it is being portrayed in the media as it only makes the phone numbers of those users searchable on Google who have chosen to make them public by generating their links. Also, no names or other private details are popping in Google Search.
The Click to Chat feature of WhatsApp allows you to create a link through which someone can connect with your WhatsApp profile directly. This omits the need of adding a phone number to your contact list to chat and gives a way to connect with individuals on the messaging app directly by using a link that includes the phone number of the WhatsApp contact.
WhatsApp has the Click to Chat feature for quite some time, and it’s been used by several businesses to connect with their customers without requiring them to store their numbers.
The issue was first reported by WhatsApp features tracker WaBetaInfo in February this year —around the same time when people found WhatsApp group chat invite links being indexed by Google Search. The group invite issue was fixed shortly after it came in the headlines as it could have allowed random people join private groups.
The phone number indexing is now back in news because researcher Athul Jayaram claims to “have discovered this privacy issue,” even though it has been known for a while in the wild, as we mentioned earlier.
Jayaram noted in a post on Medium that the mobile numbers associated with the links created through the Click to Chat feature are visible on Google Search as WhatsApp hasn’t restricted search engines to index the domain wa.me that is used for those links. He also mentioned that various marketing executives, cybercriminals, and fraudsters could target the users whose numbers are visible on Google through the indexing of the wa.me links.
Having said that, it is important to note that apart from phone numbers, Google doesn’t have a record of any other personal data of users who’ve used the Click to Chat feature of WhatsApp. Jayaram in some cases found that he was able to notice profile pictures and profile statuses of the users whose numbers are visible on search results. However, those details are only available if the users have set their visibility for everyone and one has to open each contact inside the WhatsApp to see their profile picture, an arduous task.
Jayaram reached WhatsApp parent Facebook last month to report his discovery under a bug-bounty programme. However, he said that the social networking giant rejected his report by saying that its Data Abuse Bounty programme doesn’t cover WhatsApp.
In a statement to Threatpost, a WhatsApp spokesperson said that while the messaging app is a part of the bounty programme, the researcher’s report didn’t qualify for a bounty since it “merely contained a search engine index of URLs that WhatsApp users chose to make public.”
That said, Jayaram noted in his post that WhatsApp should care about the issue and avoid it by disallowing the bots from crawling user links and encrypting the mobile numbers of its users who have created links using the Click to Chat feature.