Privacy Alert: WhatsApp is leaking phone numbers of users in Google searches

A serious security issue affects WhatsApp users and even the popular end-to-end encryption cannot protect users. According to data security training specialists, Google is indexing phone numbers linked to WhatsApp accounts to their search results, which could be leveraged by threat actors to attack specific users.

Researcher Athul Jayaram pointed to the finding of the security issue in recent days, mentioning that the information leaking is related to the “wa.me” domain. This domain is owned by WhatsApp and allows users to host links known as ‘click to chat’; these links are used to join a conversation without having a number stored in someone’s contacts.

According to the data security training researcher, domains “wa.me” and “api.whatsapp.com” do not have a “robots.txt” file to specify that search engines cannot crawl phone numbers on the website. Therefore, links that begin with “http://wa.me/” are indexed by Google and other search engines.

By clicking on these links, the user is redirected to an “api.whatsapp.com” page to contact other users on the messaging platform. “Phones are completely exposed, so any malicious hacker can make calls, send messages or sell the information of affected users to spammers, scammers and data brokers,” Jayaram says.

When conducting a test, data security training experts created a fake link (http://wa.me/11111), which redirected them to api.whatsapp.com/send?phone=11111, as shown in the following image. This link showed the same legitimate page, although the researchers did not even use a real phone number.

In other words, threat actors cannot simply exploit this feature to extract legitimate WhatsApp numbers as if conventional queries were entered into a web browser. Facebook even rejected Jayaram’s report, not considering this condition a security bug under its rewards program: “We appreciate the report sent by the researcher and value his dedication, but it does not qualify for a reward since it simply contains a search engine URL index that WhatsApp users have decided to make public,” the company argues. This is not to say that the company should forget this inconvenience, as many users ignore how these links work and what information is being shared with the entire Internet.  

For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.