An independent cybersecurity researcher from India claimed that the WhatsApp web portal had “leaked around 29,000–3,00,000 WhatsApp user’s mobile numbers in plaintext accessible to any internet user”. Athul Jayaraman, who calls himself a “full-time bug bounty hunter”, said the numbers were visible on Google and users from the United States, United Kingdom and India were among the most affected. In its response, WhatsApp said the findings did not qualify for a bug bounty as it “merely contained a search engine index of URLs that WhatsApp users chose to make public”.
So, how does your WhatsApp number end up on Google?
Jayaraman said WhatsApp’s new feature, that lets friends add users to their list by scanning a QR code, when decoded points to a https://wa.me/ URL. In this feature, the messaging service also has a click to chat option where links are generated, and the researcher claimed this does not encrypt the phone number in the link and was thus making the phone number visible in plaintext.
WEBINAR: Unlockdown, And After: What Holds For The Jobs Market As Economy Contracts
In conversation with Manish Sabharwal, Chairman & Co-Founder, TeamLease Services Ltd; Director, Central Board of @RBI
7 PM, June 10
— Express Explained (@ieexplained) June 7, 2020
What has been WhatsApp’s response?
In a statement responding to Jayaraman’s findings, a WhatsApp spokesperson said its click to chat feature, which lets users create a URL with their phone number so that anyone can easily message them, is used widely by small and micro-businesses around the world to connect with their customers. “While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button,” the statement said.
While WhatsApp acknowledges the features, it clarifies that those who share the link make a conscious decision to make their numbers visible for users. Also, given the functionality, it would be unlikely individuals share such URLs publicly.
Meanwhile, Google has stopped indexing wa.me. This suggests WhatsApp has now blocked search engines from crawling the URL.
What is WhatsApp’s click to chat feature?
WhatsApp blog explained click to chat as a feature that allows users to “begin a chat with someone without having their phone number saved in your phone’s address book”. Users will however need the number of the person who should also be a WhatsApp users so that the generated link results in a chat. Click to chat works on both your phone and WhatsApp Web.
Users can generate a click to chat link by adding their number, in the international format with the country code, in this link — https://wa.me/ where the is a full phone number in international format. Omit any zeroes, brackets, or dashes when adding the phone number in international format. It is also possible to add a pre-written message to such links.
No, this is not a vulnerability all users should be worried about. Only those who have created click to chat links and made them publicly available, by maybe tweeting the link or sharing it on other platforms, stand a chance of being exposed.
But then it is advised that users create such links with caution, especially when it is being generated for a personal number. It is not a good idea anyway to share your numbers on any platforms that could get indexed on Google. It becomes a bigger problem if the number has the user’s name against it.
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines