WhatsApp Has A Nasty Privacy Flaw That Could Land Your Phone Number In Google Search Results
The main draw of using WhatsApp is enhanced privacy through end-to-end encryption, followed by its popularity—more than 2 billion people in over 180 countries use the instant messaging service. This also makes privacy and security lapses all the more glaring, when they are found. And according to a security who unsuccessfully tried to collect a bug bounty, there is a "privacy issue" that needs addressed.
At the center of the issue is the application's 'click to chat' feature.
"WhatsApp's click to chat feature allows you to begin a chat with someone without having their phone number saved in your phone's address book. As long as you know this person’s phone number and they have an active WhatsApp account, you can create a link that will allow you to start a chat with them. By clicking the link, a chat with the person automatically opens. Click to chat works on both your phone and WhatsApp Web," WhatsApp explains.
Website owners can leverage the feature by creating a QR code linked to their phone number, and putting it on their site for visitors to initiate a chat with them. A visitor would then simply scan the QR code or click on the URL to start a WhatsApp chat session, without ever having to input a phone number.
Security researcher Athul Jayaram says there is a problem with this, and warns of phone numbers being "leaked" through Google's indexing routine. The problem, according to Jayaram, is that search engines index the metadata associated with click to chat, which essentially "leaks" mobile phone numbers of WhatsApp users on the application's wa.me domain.
“Your mobile number is visible in plain text in this URL, and anyone who gets hold of the URL can know your mobile number. You cannot revoke it," Jayaram told Threatpost.
Jayaran says he was able to dig up 300,000 WhatsApp phone numbers this way. He also warns that this could make it easier for an attacker to message someone out of the blue and/or sell people's phone numbers to spammers and scammers. Even worse, he says with a little digging, it's possible to uncover a person's identity by looking a person's profile picture on WhatsApp.
"Through the WhatsApp profile, they can see the profile photo of the user, and a do reverse-image search to find their other social-media accounts and discover a lot more about about [a targeted individual]," he added.
Jayaram tried to collect a bug bounty from Facebook, which owns WhatsApp, but was denied because the instant messaging service has its own bounty program. However, WhatsApp denied him as well, essentially saying this is not a flaw.
"While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button," WhatsApp said.
Indeed, some of the people ThreatPost spoke with whose phone numbers were 'leaked' said they were well aware that their numbers were public, and was a way for them to promote their business. However, some said they were not aware.
Even though he did not receive a bug bounty, Jayaram holds firm that his is a security flaw and says WhatsApp should take steps to prevent this from happening.