WhatsApp, serious problem: users’ numbers available on Google

A computer researcher discovered the presence of a bug that allows search engines to index people's phone number

In February this year, the website Motherboard discovered that many groups created on WhatsApp were being indexed by Google's search engine and were accessible by any person. WhatsApp technicians took immediate action and the problem was fixed within a few days. A few months later, a new privacy issue hits the messaging application: computer researcher Athul Jayaram discovered that over 300,000 users' phone numbers are present on Google because of WhatsApp.

What is the reason for the presence of users' phone number on WhatsApp? To the Click to Chat feature, a tool used by websites to facilitate the interaction between the company and the user on WhatsApp. Simply clicking on a button or scanning a QR Code will start a conversation on WhatsApp without the need to register the contact in the smartphone's address book. Unfortunately, the metadata of the Click to Chat function is indexed by search engines and among this information there is also the phone number.

WhatsApp, 300,000 phone numbers present on Google

According to the analysis made by the computer researcher, there are more than 300,000 phone numbers of users present on Google because of WhatsApp. The fault, as mentioned above, is the Click to Chat function and the URL that is created to get in touch with the company. Few are aware of it, but it is possible to write to a user on the messaging app even without knowing his phone number: just enter the following URL "https://wa.me/numeroditelefono" in the tab of a browser.

This URL, however, is indexed by Google that inserts it in the search results. Performing tests, the computer researcher has found more than 300,000 telephone numbers. A serious problem for the privacy and security of users: phone contacts can be used by fraudsters for phishing campaigns and spam e-mails.

WhatsApp, a serious problem for the security of users

The problem does not only concern the possibility for attackers to use the phone number for any spam campaigns, but also to trace the true identity of the person. How? Through reverse search. By clicking on the URL in the search engine, you can see the person's profile picture, save it on your device and use a reverse image search tool to discover their identity. A real attack on the person's privacy.

WhatsApp, problem solved?

The computer researcher sent the report to Facebook on May 23 to participate in the "bug-bounty program", the program that provides a monetary reward for all those who discover bugs in the Menlo Park company's platform. Facebook's answer was not long in coming: no reward, since the program is only valid for the social network. Negative response also from WhatsApp developers: this is something known for a long time and for the moment will not be resolved.