comscore WhatsApp is leaking mobile numbers of users in plaintext | BGR India
News

WhatsApp denies leaking mobile number of users in plaintext

An independent cybersecurity researcher has claimed that WhatsApp is leading mobile numbers of users in plaintext searchable on Google.

  • Updated: June 9, 2020 3:58 PM IST
WhatsApp

WhatsApp, the Facebook-owned social messaging platform, may have leaked mobile numbers of its users. An independent cybersecurity researcher from India has revealed the privacy issue in a new Medium blog post. In his post, Athul Jayaram claims that he discovered the privacy issue in the WhatsApp Web portal. The platform has reportedly leaked mobile numbers of around 29,000 to 300,000 WhatsApp users around the world. Also Read - Facebook to verify if viral posts are coming from humans or not

Jayaram further notes that these mobile numbers are available in “plaintext accessible to any internet user in plaintext”. He also adds that WhatsApp users from the United States, United Kingdom, India and almost all other countries are affected by this issue. Jayaram also cites CVE-2019–2706 issued by Oracle for the critical vulnerability discovered by him in the middleware used by corporate applications. He mentions in his profile that he is a full-time bug bounty hunter ranked top 125 in Bugcrowd and Hackerone. Also Read - PSA: WhatsApp scam is asking users for their verification codes and it's fake

The independent cybersecurity researcher also raises concerns around the fact that this data is available on open web and not on dark web. He also adds that the number of numbers accessible to you might differ due to “Google bot crawl daily”. WhatsApp has denies the leak and has also confirmed that indexing is no longer happening and this is not a privacy issue. The search result will also vary depending on the Google domain due to regional TLD’s. Facebook removed the feature to search users with their phone numbers last year due to privacy issues. Also Read - WhatsApp gets QR code support for Android Beta

“Our Click to Chat feature, which lets users create a URL with their phone number so that anyone can easily message them, is used widely by small and microbusinesses around the world to connect with their customers. While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button,” WhatsApp Spokesperson said in an emailed statement.

Photo: Athul Jayaram/Medium

Is WhatsApp leaking mobile numbers?

It is not clear whether WhatsApp is affected by a similar issue. The social messaging platform has also launched a new feature where friends can add users by scanning a QR code. Every account is now provided a unique QR code which shows a URL pointing to https://wa.me/. The researcher notes that WhatsApp has a click to chat feature where the links are generated as https://wa.me/.

Jayaram claims that this feature does not encrypt the phone number in the link. As a result, if the link is shared anywhere, it makes the phone number visible in plaintext. “For example, you share this link with a friend on twitter to reach you on WhatsApp. Your mobile number is visible in plain text in this URL and anyone who gets hold of the URL can know your mobile number, you cannot revoke it,” he wrote on his Medium post.

Even if you delete the tweet, Google bot would have crawled the URL and kept the link in the web. The link reportedly does not have a robots.txt file in its server root, which means it cannot stop Google or other search engine bots from crawling and indexing the link. The biggest impact of this leak would be random people sending you messages on WhatsApp. This could become a harmful weapon in the hands of marketing executives, cybercriminals and fraudsters looking for new ways to reach unsuspecting consumers.

Photo: Athul Jayaram/Medium

Jayaram says that Google search results showed him around 29,000 results at the time of publishing his blog. In order to find a number, all you need to do use the google search query site:wa.me “<country_code>”. We were not able to replicate the result. On WhatsApp, each user is identified by a mobile number and not with a username. You can message someone if you have their mobile number. Jayaram notes that a stranger’s personal WhatsApp profile can be identified and accessed via this method.

The profile pictures are only visible in the case of those who have their visibility set to the public. “This privacy issue could have been avoided if Whatsapp encrypted the user mobile numbers as well as by adding a robots.txt file disallowing the bots from crawling their domain and a meta noindex tag on the pages, unfortunately they did not do that yet and your privacy may be at stake,” Jayaram further notes in his blog. One can only hope that WhatsApp takes note of this issue and issues a fix soon.

For the latest tech news across the world, latest PC and Mobile games, tips & tricks, top-notch gadget reviews of most exciting releases follow BGR India’s Facebook, Twitter, subscribe our YouTube Channel.
  • Published Date: June 9, 2020 11:18 AM IST
  • Updated Date: June 9, 2020 3:58 PM IST



new arrivals in india

Samsung Galaxy M51
Samsung Galaxy M51

24,999

Poco M2
Poco M2

10,999

Oppo F17 Pro
Oppo F17 Pro

22,990

Realme 7 Pro
Realme 7 Pro

19,999

Realme 7
Realme 7

14,999

Xiaomi Redmi 9A
Xiaomi Redmi 9A

6,799

Vivo Y20
Vivo Y20

12,990

Xiaomi Redmi 9
Xiaomi Redmi 9

8,999

Nokia 5.3
Nokia 5.3

13,999

Motorola Moto G9
Motorola Moto G9

11,499

Realme C15
Realme C15

9,999

Realme C12
Realme C12

8,999

Samsung Galaxy Note 20
Samsung Galaxy Note 20

77,999

Xiaomi Redmi 9 Prime
Xiaomi Redmi 9 Prime

9,999

Oppo Reno4 Pro
Oppo Reno4 Pro

34,990

Samsung Galaxy M01 Core
Samsung Galaxy M01 Core

5,499

Realme 6i
Realme 6i

12,999

Asus Rog Phone 3
Asus Rog Phone 3

49,999

OnePlus Nord
OnePlus Nord

24,999

Infinix Smart 4 Plus
Infinix Smart 4 Plus

7,999

Xiaomi Redmi Note 9
Xiaomi Redmi Note 9

11,999

Samsung Galaxy M01s
Samsung Galaxy M01s

9,999

Vivo X50 Pro 5G
Vivo X50 Pro 5G

49,990

Vivo X50 5G
Vivo X50 5G

34,990

Realme C11
Realme C11

7,499

Poco M2 Pro
Poco M2 Pro

13,999

Realme X3
Realme X3

24,999

Realme X3 SuperZoom
Realme X3 SuperZoom

27,999

Tecno Spark Power 2
Tecno Spark Power 2

9,999

Oppo A12
Oppo A12

9,990

Oppo A52
Oppo A52

16,990

Samsung Galaxy A21s
Samsung Galaxy A21s

15,999

Oppo Find X2
Oppo Find X2

64,990

Motorola One Fusion Plus
Motorola One Fusion Plus

17,499

Samsung Galaxy A31
Samsung Galaxy A31

20,999

Samsung Galaxy M01
Samsung Galaxy M01

8,999

Samsung Galaxy M11
Samsung Galaxy M11

10,999

Infinix Hot 9 Pro
Infinix Hot 9 Pro

9,999

LG Velvet
LG Velvet

Price Not Available

Xiaomi Mi Note 10 Lite
Xiaomi Mi Note 10 Lite

Price Not Available

Apple iPhone SE 2020
Apple iPhone SE 2020

42,500

Honor 30 Pro
Honor 30 Pro

Price Not Available

Honor 30
Honor 30

Price Not Available

OnePlus 8
OnePlus 8

44,999

OnePlus 8 Pro
OnePlus 8 Pro

54,999

Xiaomi Redmi Note 9 Pro
Xiaomi Redmi Note 9 Pro

13,999

Motorola Moto E4
Motorola Moto E4

8,999

Samsung Galaxy On Max
Samsung Galaxy On Max

9,775

nubia N2
nubia N2

15,999

Karbonn K9 Kavach 4G
Karbonn K9 Kavach 4G

5,290

Motorola Moto C Plus
Motorola Moto C Plus

6,999

Best Sellers