WhatsApp numbers are at the risk of being leaked as a cybersecurity researcher
has found a bug that allows user numbers to be displayed on Google Search
results.

According to a bug bounty hunter, Athul Jayaram, aflaw in WhatsApp?s web portal
has leaked numbers
[https://medium.com/@athuljayaram/your-whatsapp-number-may-be-leaked-in-the-open-web-they-dont-care-do-you-dcf147236746] of about 29,000 users from the United States, United Kingdom, India and other
countries.

The bug seems to be with WhatsApp?s click to chat feature that allows a user to
start a chat on the platform with another user whose contact isn?t saved in the
phone?s contact directory/address book. The feature requires the sender to
generate a link using the phone number of the user they want to message on the
platform.

Jayaram explains in hisblog post
[https://medium.com/@athuljayaram/your-whatsapp-number-may-be-leaked-in-the-open-web-they-dont-care-do-you-dcf147236746] on Medium, that the click to chat feature generates the link via WhatsApp?s web
portal and does not encrypt the phone number. So, the phone number is visible in
plain text within the link itself which will be visible as ?https://wa.me/?. The
numbers can easily be found by running a Google search query, and there is even
a way to search for numbers from a specific country using the country?s calling
code.

Jayaram says he was able to find about 29,000 numbers in Google Search and
apparently, even contacted some of them on WhatsApp. The users whose numbers are
compromised are vulnerable to phishing attacks by threat actors. Additionally,
depending on their privacy settings, the users? display pictures, profile status
and display names can also be seen.

The fact that user mobile numbers are at risk seems concerning but for now, it
seems WhatsApp doesn?t particularly think this is a problem. When asked about
the bug byThreatpost
[https://threatpost.com/whatsapp-phone-numbers-google-search-results/156141/], a
WhatsApp spokesperson said, ?While we appreciate this researcher?s report and
value the time that he took to share it with us, it did not qualify for a bounty
since it merely contained a search engine index of URLs that WhatsApp users
chose to make public. All WhatsApp users, including businesses, can block
unwanted messages with the tap of a button.?

A similar bug was found with WhatsApp a few months ago, where links to?join
private WhatsApp Groups were being indexed on Google Search. When reported, the
bug was described as an ?intentional product design? by Facebook but was
seemingly fixed later.

Read Next | WhatsApp Beta Testers Can Now Add Contacts Via QR Code
[http://finary.co/tech/whatsapp-beta-testers-can-now-add-contacts-via-qr-code/]

Read Next | WhatsApp Launches New Initiative To Fight Spread Of COVID-19
Misinformation In India
[http://finary.co/tech/whatsapp-launches-new-initiative-to-fight-spread-of-covid-19-misinformation-in-india/]