WhatsApp has revealed a bug that allows users’ mobile phone numbers to be exposed on Google’s search engine, a security researcher has revealed. Although not all users’ numbers were exposed, the issue raised concerns. But if a user has only spoken to a WhatsApp user they know (and hasn’t used a group invitation link), there’s a good chance they’ll be affected by the vulnerability.
(Via Slash Gear)
Athul Jayaram, a security researcher, said WhatsApp executives were aware of the problem but were unmoved. The issue is understood to be related to whatsApp’s QR code feature, which was introduced earlier this year.
WhatsApp’s previously published group invitation links work differently than the new QR code feature, but the former is clearly more secure — because the latter uses an unencrypted http://wa.me/ short URL system and doesn’t hide the user’s phone number in the link.
When a user shares a QR code on a new system, if the URL is crawled by a Google crawler, it is most likely to be indexed into the search engine’s index results. If you are concerned about your number being windfall, please retrieve and verify it by using the site:wa.me plus country code.
At the time of writing,media had retrieved more than 30,000 results through this method, and the vast majority of these links contained the phone numbers of WhatsApp users in plain text format. Some search results even include messages sent in WhatsApp conversations through the wa.me system.
Update: If retrieved by site:api.whatsapp.com, Google’s search engine will also return thousands of results. But unless WhatsApp executives look at the issue, the negative impact will certainly continue.