Cybersecurity researcher claims WhatsApp privacy issue made users’ phone numbers searchable in plain text on Google
An independent cybersecurity researcher, Athul Jayaram, has revealed that due to a privacy issue, WhatsApp numbers of users from the US, UK, India and many other countries have been leaked and are available on the open web in plain text.
Jayaram revealed this in a post on Medium. He claims that around 29,000-3,00,000 WhatsApp user’s mobile numbers are now accessible in plain text to any internet user.
Image: Reuters
He explains that WhatsApp offers a Click to Chat feature that lets users create a link that can be shared anywhere like Twitter and just by clicking at that link, anyone can contact them on WhatsApp. Because of the privacy loophole, the feature was reportedly putting phone numbers of users at a risk by allowing Google Search to index the links. As a consequence, these phone numbers can show up in Google Search.
He says anyone including cybercriminals, fraudsters, and marketing executives can get a hold of these numbers by putting a simple Google Search query: site:wa.me<+country code>. They can even look at your WhatsApp display picture and status if you have made them public.
Image: Medium
We reached out to WhatsApp to learn more about the security issue. A company spokesperson said, “Our Click to Chat feature, which lets users create a URL with their phone number so that anyone can easily message them, is used widely by small and microbusinesses around the world to connect with their customers. While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button.”
How can this be avoided?
Meanwhile, Jayaram also offered a solution to the issue.
“This privacy issue could have been avoided if WhatsApp encrypted the user mobile numbers as well as by adding a robots.txt file disallowing the bots from crawling their domain and a meta noindex tag on the pages, unfortunately, they did not do that yet and your privacy may be at stake.”
Google’s indexing of WhatsApp numbers raises privacy concerns
Google is indexing the phone numbers used on WhatsApp, and a researcher is concerned that it could cause privacy issues or be used for malicious purposes.
Earlier this year, Bleeping Computer reported how invite links to private groups of messaging apps like WhatsApp and Telegram were visible on Google, letting anyone join the groups.
This week, security researcher Athul Jayaram highlighted an issue with WhatsApp’s “wa.me” domain “leaking” contact phone numbers on Google.
The ‘wa.me’ domain is owned by WhatsApp and is used to host ‘lick to chat‘ links that “allows you to begin a chat with someone without having their phone number saved in your phone’s address book.”
As stated by Jayaram and confirmed by BleepingComputer, there is no “robots.txt” file on “wa.me” or “api.whatsapp.com” domains that instructs search engines not to crawl phone numbers on the website.
As a result, the links which start with “https://wa.me/” get indexed by Google and other search engines and appear in search results.
“As individual phone numbers are leaked, an attacker can message them, call them, sell their phone numbers to marketers, spammers, scammers,” Jayaram told Threatpost, who broke the story.
When clicked, these links redirect to an “api.whatsapp.com” page enabling a user to “continue chat” with the WhatsApp user.
While this could be a potential privacy issue, especially if spammers can get their hands on legitimate WhatsApp numbers being indexed by Google and text you directly on WhatsApp, this isn’t necessarily a bug.
As a test, I created the fake http://wa.me/11111 link using a fake phone number.
As you can see below, this redirected me to the api.whatsapp.com/send?phone=11111 link, as shown below. This link showed the same landing page, giving off the impression as if the number was a valid WhatsApp contact, even when it wasn’t.
This means spammers can’t simply exploit this feature to “enumerate” legitimate WhatsApp numbers.
Perhaps it is for that reason that Facebook had rejected the bug bounty report filed by Jayaram on the issue:
“While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button,” Jayaram told Threatpost.
Additionally, it is worth noting that entire directories of legitimate phone numbers, regardless of whether they have had a WhatsApp/Telegram account, are posted on the web.
This practice has been going on for decades-long before messaging apps even existed and allowed Google to index the numbers.
Therefore, publishing a mere phone number on the web does not automatically link to personally identifiable information or passwords.
Jayaram still feels that the public indexing of phone numbers can be a security risk or privacy risk, as so many of our online services are tied to our phone numbers.
The researcher recommends that WhatsApp use a robots.txt file in their domains, preventing Google from crawling these results, and also to encrypt user’s mobile numbers.
“Unfortunately they did not do that yet, and your privacy may be at stake,” he said. “Today, your mobile number is linked to your Bitcoin wallets, Adhaar, bank accounts, UPI, credit cards…[allowing] an attacker to perform SIM card swapping and cloning attacks by knowing your mobile number is another possibility,” Jayaram stated.
It is not entirely clear what is meant by “encrypting” mobile numbers in this context, but it could be to obfuscate the numbers with randomized strings, such as this one bit.ly URL https://bit.ly/2Mxb5Hp, which redirects to BleepingComputer.
Unfortunately, at this time, WhatsApp does not provide a way to make your phone number private.
Those who are concerned about it being indexed should get a virtual phone number from Google Voice or another similar service.
0 Comments