WhatsApp, the Facebook-owned social messaging platform, may have leaked mobile numbers of its users. An independent cybersecurity researcher from India has revealed the privacy issue in a new Medium blog post. In his post, Athul Jayaram claims that he discovered the privacy issue in the WhatsApp Web portal. The platform has reportedly leaked mobile numbers of around 29,000 to 300,000 WhatsApp users around the world. Also Read - Facebook to verify if viral posts are coming from humans or not
Jayaram further notes that these mobile numbers are available in “plaintext accessible to any internet user in plaintext”. He also adds that WhatsApp users from the United States, United Kingdom, India and almost all other countries are affected by this issue. Jayaram also cites CVE-2019–2706 issued by Oracle for the critical vulnerability discovered by him in the middleware used by corporate applications. He mentions in his profile that he is a full-time bug bounty hunter ranked top 125 in Bugcrowd and Hackerone. Also Read - PSA: WhatsApp scam is asking users for their verification codes and it's fake
The independent cybersecurity researcher also raises concerns around the fact that this data is available on open web and not on dark web. He also adds that the number of numbers accessible to you might differ due to “Google bot crawl daily”. WhatsApp has denies the leak and has also confirmed that indexing is no longer happening and this is not a privacy issue. The search result will also vary depending on the Google domain due to regional TLD’s. Facebook removed the feature to search users with their phone numbers last year due to privacy issues. Also Read - WhatsApp gets QR code support for Android Beta
“Our Click to Chat feature, which lets users create a URL with their phone number so that anyone can easily message them, is used widely by small and microbusinesses around the world to connect with their customers. While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button,” WhatsApp Spokesperson said in an emailed statement.
Is WhatsApp leaking mobile numbers?
It is not clear whether WhatsApp is affected by a similar issue. The social messaging platform has also launched a new feature where friends can add users by scanning a QR code. Every account is now provided a unique QR code which shows a URL pointing to https://wa.me/. The researcher notes that WhatsApp has a click to chat feature where the links are generated as https://wa.me/.
Jayaram claims that this feature does not encrypt the phone number in the link. As a result, if the link is shared anywhere, it makes the phone number visible in plaintext. “For example, you share this link with a friend on twitter to reach you on WhatsApp. Your mobile number is visible in plain text in this URL and anyone who gets hold of the URL can know your mobile number, you cannot revoke it,” he wrote on his Medium post.
Even if you delete the tweet, Google bot would have crawled the URL and kept the link in the web. The link reportedly does not have a robots.txt file in its server root, which means it cannot stop Google or other search engine bots from crawling and indexing the link. The biggest impact of this leak would be random people sending you messages on WhatsApp. This could become a harmful weapon in the hands of marketing executives, cybercriminals and fraudsters looking for new ways to reach unsuspecting consumers.
Jayaram says that Google search results showed him around 29,000 results at the time of publishing his blog. In order to find a number, all you need to do use the google search query site:wa.me “<country_code>”. We were not able to replicate the result. On WhatsApp, each user is identified by a mobile number and not with a username. You can message someone if you have their mobile number. Jayaram notes that a stranger’s personal WhatsApp profile can be identified and accessed via this method.
The profile pictures are only visible in the case of those who have their visibility set to the public. “This privacy issue could have been avoided if Whatsapp encrypted the user mobile numbers as well as by adding a robots.txt file disallowing the bots from crawling their domain and a meta noindex tag on the pages, unfortunately they did not do that yet and your privacy may be at stake,” Jayaram further notes in his blog. One can only hope that WhatsApp takes note of this issue and issues a fix soon.