WhatsApp Is Leaking User Phone Numbers In Google Searches And Customizable Verification Codes

whatsapp facebook apps
The crazy train that is WhatsApp right now does not look like it will be stopping any time soon. After the privacy policy fiasco, which is still developing, other issues have popped up simultaneously. It appears that Google is indexing a WhatsApp subdomain that can share users’ phone numbers. Furthermore, there are also other issues with WhatsApp that scammers can use to social engineer people, as we are just now learning. This is an absolute nightmare for privacy and security again, and should concern every WhatsApp user at present.

Last year, WhatsApp had chat invite links indexed on Google, meaning they were searchable by anyone who knew what to look for. The search techniques could be adapted to then extrapolate more phone numbers from the WhatsApp platform. Now, this is happening again but on a different WhatsApp subdomain, web.whatsapp.com. With a simple Google search using patterns, search terms, and tricks, anyone can find a phone number from web.whatsapp.com. This was found by security researcher Rajshekhar Rajaharia who tweeted out his findings shown below.
When we reached out for comment, we also learned more about his findings. It seems that WhatsApp has a text file in place which should stop Google from indexing its websites, but that does not appear to be working. Clearly, however, WhatsApp is not monitoring its subdomains either, which is another issue in and of itself.
Furthermore, while publicly available phone numbers are bad, it gets worse. Rajaharia reported on a website from WhatsApp that spews verification codes that are customizable by whoever visits the website. When you pair the leaked phone number with a fake verification code, scammers can act like WhatsApp employees by texting a link to users and then reading the verification code to the customers as if they see it in the backend. Evidently, this is an issue in India, but it could spread to more technically illiterate users globally.
whatsapp verification rendered
You can try this out for yourself here: https://v.whatsapp.com/123456?s=1

whatsapp business verification rendered
Business customers can also be affected: https://b.whatsapp.com/123456?s=1

Overall, users need to be worried about their safety and privacy on the WhatsApp platform. WhatsApp should have learned the first time this happened in 2020 and improved, but that is not the case. Perhaps that is why so many people are flocking to rival Signal at the moment...