WhatsApp numbers leaking into Google search results

Beware – this WhatsApp feature might see your phone number end up in Google search results

WhatsApp numbers leaking into Google search results

Update: WhatsApp owner Facebook has now resolved the issue, which it was already working to fix before it was widely reported.

Users of WhatsApp’s Click to Chat feature could be sharing more than expected after personal phone numbers were found to be being exposed via public Google search results.

Click to Chat is a lesser-known WhatsApp facility that allows website visitors to converse with website operators via the messaging service. For example, if a visitor to an ecommerce site had a query about a listing, they could scan a QR code to be entered into a WhatsApp conversation with the relevant helpdesk.

However, according to researcher and bug-bounty hunter Athul Jayaram, utilizing this feature can land a user’s phone number in public search results, opening the door to all manner of scams and cyberattacks.

WhatsApp data privacy

Messaging platform WhatsApp is renowned for its high data privacy standards, offering end-to-end encryption to all users. However, this latest discovery suggests personal data may not be as private as users might like to think. Users’ numbers are being exposed by the WhatsApp-owned “wa.me” domain, which stores Click to Chat metadata in a URL string (e.g. https://wa.me/). Because there is no measure in place to prevent search engines indexing this metadata, the numbers are in effect leaked into public search results. “Your mobile number is visible in plain text in this URL, and anyone who gets hold of the URL can know your mobile number. You cannot revoke it,” explained Jayaram.

Consumer-friendly and encrypted, WhatsApp is one of the most popular apps in use today with a whopping 1.5 billion users. But over recent months, an increasing number of questions are being raised about the encrypted app’s security.

Sure, WhatsApp is end-to-end encrypted, but the most recently discovered flaw doesn’t affect that aspect of the service. Last week, I detailed how WhatsApp group chats are easily found via a Google search, because the search engine was indexing links to conversations intended to be private.

Privacy advocates were soon up in arms as tech site Vice found phone numbers belonging to 48 participants in a group chat between non-governmental organizations accredited by the United Nations.

But suddenly, the links to chats were no longer available on Google. A source told me this is due to a quiet change made by WhatsApp owner Facebook, which prevented the conversations being indexed by Google.

Links to chats are still available–and a new report finds some sensitive groups online
It was a welcome move, albeit one performed without transparency. However, the links to WhatsApp chats are still available on other search engines. Worse, Facebook told the security researcher who found this issue, @HackrzVijay that the problem is an “intentional product decision”, and group admins “can invalidate the link if so desired.”

This problem isn’t going away. The multimedia journalist for the German outlet Deutsche Welle, Jordan Wildon, who first found this issue, has this week revealed that over 60,000 groups are still accessible online.

The article details how a security researcher, Lav Kumar discovered the information was still being stored on publicly available internet archives. Wildon tested a randomly selected 1,000 of the unique links and found nearly half were active chats.

“Even without actively joining a group, its title, description, image and creator’s phone number are available for all,” the article reads. Worse, when entering a group, “it is possible to also see the phone numbers of up to 256 participants, as well as other information, and adding these numbers to one’s contacts can reveal their names in the app.”

WhatsApp told DW in a statement: “We show all numbers in groups for people’s safety, that way they know who will receive their messages.”

However, the WhatsApp “feature” is not always that safe. Wildon found groups including people who might be in danger if their identity was revealed. For example, one chat containing hundreds of members was labelled as an LGBTQ+ group based in a Latin American country with a high rate of homophobic murders.

Facebook owner WhatsApp sent me a comment, which reads: “Group admins in WhatsApp groups are able to invite any WhatsApp user to join that group by sharing a link that they have generated.

“Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.”

A new reason to leave WhatsApp?
WhatsApp is owned by Facebook, which is integrating the messaging service at the back end with Facebook Messenger and Instagram. The move is intended to support the end-to end-encryption needed for secure communications, but many see it as a cause for concern.

Big organizations have already started to move away from WhatsApp. If you use the group function for work chats, you’d be very sensible to look elsewhere. The EU is already doing this, banning WhatsApp and instructing staffers to use Signal, and a mysterious other app for secure communications.

You can try and secure your group chats using this advice from Wildon, who recommends going into group settings, tapping “Invite to Group via Link” then “Reset link.” This doesn’t turn the link off: it generates a new one.

But the most secure thing you can do, if you care about your security at least in group chats, is to look at alternatives to WhatsApp, such as Signal and Wickr. Signal is adding a number of cool new features that will make the switch much easier.

If it’s a business chat perhaps try out Wickr, while to speak to your friends, Signal is probably best.

Scouring the domain via Google searches, Jayaram reportedly uncovered 300,000 WhatsApp numbers made public via this mechanism. Clicking through to the web page does not uncover the user’s full name, but does reveal their WhatsApp profile picture.

Having made the discovery on May 23, Jayaram subsequently reported the issue to WhatsApp owner Facebook through its bug-bounty scheme.

The application was dismissed, however, on the grounds that WhatsApp users have full oversight of the information attached to their profile that is made publicly available.

“While we appreciate this researcher’s report and value the time he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public,” said a WhatsApp spokesperson.

“All WhatsApp users, including businesses, can block unwanted messages with the tap of a button.”

Jayaram, however, believes the firm should take the disclosure more seriously, due to the scope of attacks the issue could facilitate.

“Today, your mobile number is linked to your Bitcoin wallets, Adhaar, bank accounts, UPI, credit cards…[allowing] an attacker to perform SIM card swapping and cloning attacks is another possibility,” he said.

Author Profile

Brandon Corvis
Brandon Corvis
Bran writes mostly on science and is an avid reader and writer of popular science. He brings sciency a literetic emphasis bring it to mainstream media for all.

Sharing is caring!