WhatsApp Update: Using this WhatsApp feature will land your telephone number in Google search results

WhatsApp Update: Using this WhatsApp feature will land your telephone number in Google search results

Google is indexing WhatsApp numbers - should we be concerned?

Users of WhatsApp’s Click to talk feature could see their personal phone numbers exposed via public Google search results, consistent with a replacement discovery made by a security researcher.

Click to talk maybe a lesser-known WhatsApp facility that permits website visitors to converse with website operators via the messaging service. for instance, if a visitor to an eCommerce site had a question a few listing, they might scan a QR code to be entered into a WhatsApp conversation with the relevant helpdesk.

However, consistent with researcher and bug-bounty hunter Athul Jayaram, utilizing this feature can land a user’s telephone number publicly search results, opening the door to all or any manner of scams and cyberattacks.

WhatsApp data privacy

Messaging platform WhatsApp is renowned for its high data privacy standards, offering end-to-end encryption to all or any users. However, this latest discovery suggests personal data might not be as private as users might wish to think.

Users’ numbers are being exposed by the WhatsApp-owned “wa.me” domain, which stores Click to talk metadata during a URL string (e.g. https://wa.me/). Because there's no measure in situ to stop search engines indexing this metadata, the numbers are in effect leaked into public search results.

“Your mobile number is visible in plain text during this URL, and anyone who gets hold of the URL can know your mobile number. you can't revoke it,” explained Jayaram.

“As individual phone numbers are leaked, an attacker can message them, call them, sell their phone numbers to marketers, spammers, and scammers.”

Scouring the domain via Google searches, Jayaram reportedly uncovered 300,000 WhatsApp numbers made public via this mechanism. Clicking through to the online page doesn't uncover the user’s full name, but does reveal their WhatsApp profile picture.

Having made the invention on May 23, Jayaram subsequently reported the difficulty to WhatsApp owner Facebook through its bug-bounty scheme.

The application was dismissed, however, on the grounds that WhatsApp users have full oversight of the knowledge attached to their profile that's made publicly available.

“While we appreciate this researcher’s report and value the time he took to share it with us, it didn't qualify for a bounty since it merely contained an inquiry engine index of URLs that WhatsApp users chose to form the public,” said a WhatsApp spokesperson.

“All WhatsApp users, including businesses, can block unwanted messages with the faucet of a button.”

Jayaram, however, believes the firm should make the disclosure more seriously, thanks to the scope of attacks the difficulty could facilitate.

“Today, your mobile number is linked to your Bitcoin wallets, Adhaar, bank accounts, UPI, credit cards…[allowing] an attacker to perform SIM card swapping and cloning attacks is another possibility,” he said.




Source URL