A security researcher discovered the WhatsApp feature “Click to Chat” puts everyone at risk by indexing WhatsApp contact details on Google search. However, they said it’s no big deal that search only reveals what the user has selected for his privacy settings.
A researcher discovered the leaked phone numbers issue. As we all know that this “Click to Chat” allows websites to initiate a WhatsApp chat session by associating a QR code directly.
The issue is that these phone numbers can indeed appear within the Google Search result since search engines monitor metadata. The contact details are revealed as part of a string of URLs (https:/wa.me/) which shows the contact detail of a specific account.
“Since numbers are accessible in plaintext URL, and anyone who approaches the URL can know the contact details and thereby see the profile picture of the targeted account and can do a reverse picture search to identify their other web-based social networking accounts and find considerably progressive information on the targeted person.”
According to a research study, some people are unaware that their numbers are public while others say that they did it on purpose to boost their business.
On this issue, Facebook responded to the complaint that data abuse is only covered for Facebook platforms, and not for WhatsApp. Danny Sullivan, a public alliance for Google Search, said on Twitter that the situation is “no different than any case where a site allows URLs to be publicly listed.” Google does offer tools allowing sites to block content being listed but the thing is Google cannot remove URLs from the web (only webmasters can do that).
New: Google is letting anyone find invite links to some private WhatsApp groups. Here is one we joined that is supposed to be for United Nations NGOs judging by its description. Can see members and get numbers https://t.co/TzWjqQmm2P pic.twitter.com/jda25POc0h
— Joseph Cox (@josephfcox) February 21, 2020
However, if anything is omitted from Google’s findings, the results of all other search engines can still turn up.
Researchers advised WhatsApp to encrypt user mobile numbers and add a robots.txt file to disallow bots from crawling their domain because your mobile number is linked to your other accounts like bank accounts, credit cards, etc, that can allow an attacker to perform SIM card swapping and cloning attacks by knowing your mobile number.
The authorities (WhatsApp) did not respond to that suggestion yet.