Digital ID

Google is indexing the phone numbers of WhatsApp users raising privacy concerns

A researcher is warning that Google is indexing the phone numbers of WhatsApp users raising serious privacy concerns.

Google is indexing the phone numbers of WhatsApp users that could be abused by threat actors for malicious activities.

Even if Google Search only revealed the phone numbers and not the identities of associated users, ill-intentioned attackers could be able to see users’ profile pictures on WhatsApp and performing a reverse-image search the user’s profile picture to gather additional info on the potential victim (i.e. mining social media accounts where the victim use the same profile picture).

Earlier this year, the Deutsche Welle journalist Jordan Wildon, noticed that invite links for WhatsApp and Telegram groups that may be intended for private access were available through search engines.

These links could be abused by threat actors to join the group.

Now security researcher Athul Jayaram discovered a data leak with WhatsApp’s ‘wa.me’ domain that was revealing contact phone numbers on Google.

The ‘wa.me’ domain is used to host ‘click to chat‘ links that allow users to start a chat with someone without having their phone number saved in the phone’s address book.

To create the click to chat links, use https://wa.me/<number> where the <number> is a full phone number in international format.

Jayaram demonstrated that it is quite easy to find phone numbers of WhatsApp users online leaked by ‘wa.me.’

The “wa.me” or “api.whatsapp.com” domains don’t’ prevent search engines from crawling phone numbers on the website allowing any link like “https://wa.me/” to get indexed by Google.

“As individual phone numbers are leaked, an attacker can message them, call them, sell their phone numbers to marketers, spammers, scammers,” Jayaram told ThreatPost.

Experts pointed out that the link to chat feature could be exploited by threat actors to “enumerate” legitimate WhatsApp numbers.

Jayaram reported the issue to Facebook that did not accept it as part of its bug bounty program.

“While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button,” Facebook replied to Jayaram

The solution to the problem is quite simple, using a robot.txt in the above domains it is possible to prevent Google from crawling these results.

“Unfortunately they did not do that yet, and your privacy may be at stake,” he said. “Today, your mobile number is linked to your Bitcoin wallets, Adhaar, bank accounts, UPI, credit cards…[allowing] an attacker to perform SIM card swapping and cloning attacks by knowing your mobile number is another possibility,” Jayaram stated.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Whatsapp, privacy)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

4 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

11 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

22 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.