A security researcher recently warned of a security threat from WhatsApp Messenger, known as "Click to Chat". With this feature, Google can index users' phone numbers, and all indexed numbers can be easily found by anyone in the search engine.
The security researcher, who reported the "Click to Chat" vulnerability, Athul Jayaram, clarified that because of this vulnerability, the websites can quickly initiate WhatsApp conversations with their visitors.
In short, the function generally works by assigning a QR code to the resource owner's phone number.
Here the site visitor only has to scan the QR code or click on the URL, and the dialogue in WhatsApp begins. In addition, no phone number needs to be entered. At the beginning of the conversation, however, the user still has access to it.
"The problem here is that these numbers go to Google because the search engine indexes the metadata of the" Click to Chat ". Then the phone number is included in the URL string (https://wa.me/).
In short, this is one of the lucrative options for spammers, as this vulnerability allows them to easily create well-structured databases with original phone numbers to use for their personal malicious campaigns.
In addition, Athul made it clear and reported that it had been able to find around 300,000 valid phone numbers from the search engine, as these are already indexed in Google.
The phone numbers are not tied to their owners' names, but here's the fact that the attackers can still find out who they belong to.
When you click the URL with a phone number in Google search results, a user's profile opens with the photo. An attacker could use the image search to collect enough data about the potential victim.
WhatsApp rejected this bug for bug bounty
Security researcher Athul Jayaram told WhatsApp about his discovery, but the company clearly refused to discover it as a vulnerability. According to a WhatsApp spokesman, users have posted their phone numbers here themselves.
In addition, they also made it clear that the bug bounty program only covers the Facebook platforms, while WhatsApp is only part of it. Apart from that, Google's public broker Danny Sullivan said in his Twitter handler:
Search engines like Google and others list pages from the open web. That is exactly what is happening here. This is no different than in any case where URLs can be publicly listed on a website. We offer tools that websites can use to block content that is listed in our results: https://t.co/D1YIt228E3
– Danny Sullivan (@dannysullivan), February 21, 2020
Nevertheless, security researcher Athul Jayaram has clarified his views on the error and strongly recommended WhatsApp to immediately encrypt all users' cell phone numbers and attach a robots.txt file to prevent bots from crawling their domain. This resource is available.
fault has been corrected
WhatsApp fixed this problem shortly after this bug was reported and found online.
WhatsAPP spokesman said, "A WhatsApp spokesman said that this feature, called Click to Chat, is designed to help users, especially small businesses and micro businesses around the world, connect with their customers."
"Although we appreciate this researcher's report and the time it took him to share it with us, he was not eligible for a reward because it only contained a search engine index with URLs published by WhatsApp users. All WhatsApp users, including businesses, can block unwanted messages at the push of a button. "
You can follow us on Linkedin, Twitter, Facebook for daily information on cybersecurity and message hacking.