WhatsApp has finally fixed a privacy flaw that exposed contact numbers of users via Google Search. Athul Jayaram, an independent cybersecurity researcher brought the issue into attention.
The issue arises because of a WhatsApp feature. Dubbed Click to Chat, the feature lets you text a WhatsApp user without having to save their number in your contacts. The links are generated in the format “https://wa.me/<number>”, where <number> is the phone number with dialing code. Several businesses primarily use the feature to contact and connect with their customers.
The problem here was that WhatsApp links of Click to Chat users showed up in Google search results, thereby letting potentially anyone from the search results page send messages. The numbers used to show up as results for “site:wa.me” search query.
As part of the investigation, Jayaram contacted several WhatsApp users found from search results. From their responses, it is evident that they were not aware of the fact that their contact numbers were merely a Google search away.
In fact, the issue has existed for quite a while now. The Facebook-owned company was previously criticized for letting search engines index invite links of WhatsApp groups. While the company fixed the group link indexing issue this February, it took a security researcher’s public criticism for WhatsApp to fix phone number indexing.
Although WhatsApp has fixed the issue now, the researcher who escalated this issue did not qualify for a bug bounty. “While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public,” a WhatsApp spokesperson told TechCrunch.