A security researcher discovered the WhatsApp feature “Click to Chat” puts everyone at risk by indexing WhatsApp contact details on Google search. However, they said it’s no big deal that search only reveals what the user has selected for his privacy settings.
A researcher discovered the leaked phone numbers issue. As we all know that this “Click to Chat” allows websites to initiate a WhatsApp chat session by associating a QR code directly.
Also Read: WhatsApp End-to-End Encryption, Secure your Privacy & Conversation
The issue is that these phone numbers can indeed appear within the Google Search result since search engines monitor metadata. The contact details are revealed as part of a string of URLs (https:/wa.me/) which shows the contact detail of a specific account.
Researcher says:
“Since numbers are accessible in plaintext URL, and anyone who approaches the URL can know the contact details and thereby see the profile picture of the targeted account and can do a reverse picture search to identify their other web-based social networking accounts and find considerably progressive information on the targeted person.”
According to a research study, some people are unaware that their numbers are public while others say that they did it on purpose to boost their business.
Also Read: How to use someone WhatsApp in your Android & iPhone?
On this issue, Facebook responded to the complaint that data abuse is only covered for Facebook platforms, and not for WhatsApp. Danny Sullivan , a public alliance for Google Search, said on Twitter that the situation is “no different than any case where a site allows URLs to be publicly listed.” Google does offer tools allowing sites to block content being listed but the thing is Google cannot remove URLs from the web (only webmasters can do that).
However, if anything is omitted from Google’s findings, the results of all other search engines can still turn up.
Researchers advised WhatsApp to encrypt user mobile numbers and add a robots.txt file to disallow bots from crawling their domain because your mobile number is linked to your other accounts like bank accounts, credit cards, etc, that can allow an attacker to perform SIM card swapping and cloning attacks by knowing your mobile number.
The authorities (WhatsApp) did not respond to that suggestion yet.
Source: thehacktoday
