Whatsapp is one of the global contenders for cross-platform messaging and Voice over IP (VoIP) service. It is owned by Facebook(inc). In recent times, Whatsapp has reported numbers of random users showing up on Google search results. The company claims this issue is an outcome of its feature “Click to Chat” that serves to generate specified links of user profiles.
This bug was discovered by a Bug-bounty hunter Athul Jayaram and referred it to be a major privacy concern for billion users across the platform. The researcher reported that nearly three lakh phone numbers of WhatsApp users had been leaked. However, this issue is not so big as been hyped by media. It only shows up those numbers on google search results that are already made public by some concerned users. In addition to that, no personal names or other user credentials are popped on Google Search results. What is the “Click to Chat” feature?
WhatsApp’s click to chat feature allows you to begin a chat with someone without having their phone number saved in your phone’s address book. It acts as a good mediator between website and website visitors to establish a WhatsApp chat session. It initializes itself by affiliating a Quick Response (QR) code image that is created through third-party services to an owner’s Whatsapp phone number. It facilitates users to scan the site’s QR code or click on an authentic URL to launch a WhatsApp chat session. It forbids the visitor to dial the number itself, which provides ease of access to establish a connection. However, the user gets access to the mobile number after the call is initiated.
Insights of the Investigation!
Jayaram said that the mobile numbers found on Google Search results, maybe due to Click to Chat metadata. WhatsApp mobile numbers are exposed as part of a URL string (https://wa.me/<phone_number>). This leads the user number to be leaked as a plaintext. When further investigated on WHOIS records, It revealed that the “wa.me” domain is owned and controlled by WhatsApp itself.
“Your mobile number is visible in plain text in this URL, and anyone who gets hold of the URL can know your mobile number. You cannot revoke it,” “As individual phone numbers are leaked, an attacker can message them, call them, sell their phone numbers to marketers, spammers, scammers,” he said.“Through the WhatsApp profile, they can see the profile photo of the user, and a do reverse-image search to find their other social-media accounts and discover a lot more about about [a targeted individual],”said Jayaram, in research shared exclusively with Threatpost, Friday.
He added that this bug provides an ease to access for spammers to collect the legitimate phone numbers from mounting spear-phishing campaigns. A specially crafted search string of the domain https://wa.me/ helped to index 300,000 WhatsApp phone numbers. It illustrates a major security drawback that could result in abuse and fraud.
Google Search results only exposed the phone numbers and not the connections of users that they were attached to. However, the investigator said that he was also able to see users’ profile pictures on WhatsApp along with their phone numbers. This could exempt a potential threat to privacy. Further, he added that a lethal hacker could use to a captured image to reverse search the victim’s profile picture and collect some relevant data from harming the user.
In response to these, a WhatsApp spokesperson told that the Click to Chat feature only lets its legitimate users create a URL with their phone number so as to facilitate communication with microbusinesses around the world to connect with their customers.
Was it a Feature or Bug?
The investigator mentioned that many Clicks to Chat users are unaware of the fact that their phone numbers were being sorted and stored in plaintext. Which were indexed on Google Search results, and are also discoverable through a comparably simple search query? He told Threatpost that users he reached out to had expressed concern their phone numbers were available online and indexed by Google Search.
The members of the threat post interrogated several WhatsApp users whose numbers were indexed. They came to know that people were aware of being known that their number was public. In fact, it was a way to promote their business or personal contact online. However, others were unaware their numbers were public.