Google indexes thousands of WhatsApp phone numbers

Jun 9, 2020 04:46 GMT  ·  By

WhatsApp has become the number one mobile messaging app, and Facebook itself has tried to make it more than just a simple tool allowing people to connect on Android and iOS.

The Click to Chat feature, for example, makes it possible for two WhatsApp accounts to get in touch with each other using nothing more than a QR code or a custom URL. Supposed to be used by businesses to allow their customers to reach out quickly, Click to Chat only requires users to scan the QR codes and then start the messaging session without even knowing the phone number.

However, the phone number itself is revealed once the chatting starts, and the QR code and the URLs also include this information because otherwise Click to Chat wouldn’t be able to connect the two accounts.

And security researcher Athul Jayaram discovered it’s this feature the one that’s exposing users’ phone numbers, as they could sometime end up being indexed by Google due to the way the QR codes are generated.

Basically, it’s all because of the metadata that’s included in the QR code or the custom URL and which, as said, also includes the phone number. WhatsApp uses a public site called wa.me for the whole thing, and once Google starts crawling the pages hosted on this domain, it ends up checking all Click to Chat links that have previously been generated based on phone numbers.

So essentially, Google reads the phone numbers and then indexes them, making it possible for anyone to discover a specific phone number.

How attackers can abuse the exposed info

At first, this doesn’t seem like a big deal, but as the researcher explains in an analysis offered to Threatpost, malicious actors could end up being able to collect much more information. For example, once figuring out someone’s phone number, they can access the profile picture on WhatsApp, and then use the photo to search social media and other web resources to associate it with more accounts and thus obtain additional details.

The researcher says he discovered some 300,000 WhatsApp phone numbers on Google, so he alerted the Facebook-owned company as part of a bug bounty program.

WhatsApp, on the other hand, said users themselves decide if they want to share any information.

“While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button,” a company spokesperson told the cited source.

At the same time, Google says it just indexes public pages and only webmasters can remove the URLs.