According to an independent cybersecurity researcher Athul Jayaram, mobile number of many WhatsApp users available via a simple Google search. In a blogpost, Jayaram noted that he discovered a “privacy issue in the WhatsApp web portal that leaked around 29000 – 300000 WhatsApp user’s mobile numbers in plain text accessible to any internet user.”
He noted that users affected are from United States, United Kingdom, India and almost all other countries. “What makes this easy or appears to be simple is that data is accessible on the open web and not on the dark web,” Jayaram said. This was first reported by Threatpost.
Jayaram contacted Facebook and informed them about the issue to which the company reportedly said that data abuse is only covered for Facebook platforms and not WhatsApp.
He said, “This privacy issue could have been avoided if Whatsapp encrypted the user mobile numbers as well as by adding a robots.txt file disallowing the bots from crawling their domain and a meta noindex tag on the pages, unfortunately they did not do that yet and your privacy may be at stake.”
Jayaram also noted, “with a big user base, they should care about these vulnerabilities. Today your mobile number is linked to your Bitcoin wallets, Aadhaar, bank accounts, UPI, Credit cards leading an attacker to perform SIM card swapping and cloning attacks by knowing your mobile number is another possibility.”
WhatsApp has a “click to chat feature where the links are generated as https://wa.me/”, Jayaram said. This feature he revealed, “does not encrypt the phone number in the link, as a result, if this link is shared anywhere, your phone number is also visible in plaintext.”
For instance, Jayaram explains, if a user shares a “click to chat” link with a friend on Twitter or any other platform his/her mobile number will be visible in plain text in the URL itself and anyone and everyone who finds the URL will be able to get hold of the phone number which can’t be revoked.
The phone number will be available on Google even after the original tweet is deleted. This is because by the time the tweet is deleted Google bot would have crawled the URL and the link would stay on the web accessible to everyone around the world.
“This is because https://wa.me do not have a robots.txt file in its server root, which means you cannot stop Google or other search engine bots from crawling and indexing the wa.me links, which means those links will stay in the web. The pages do not have noindex meta tags to prevent any search engines from indexing the links,” Jayaram said.
The impact of this may be unknown people messaging you. It could also be possible that marketing executives, cybercriminals, fraudsters find your phone number and target users.
Moreover, if the user’s Whatsapp privacy settings are set to public the scammers may also be able to get access to your profile picture, name, profile status and more details. Not just that cybercriminals may also land up calling or text messaging you given they have your number already. Jayaram suggests that “the best way to avoid the situation maybe to delete your Whatsapp account or change your mobile number.”
To find out which mobile numbers appear on Google Search type site:wa.me followed by <country code>. For example, if you wish to find the Indian mobile numbers available on Google type site:wa.me “+91” on the search bar.
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines