Friday, July 19, 2024
EHA

WhatsApp Bug Leaked Personal Phone Numbers in Google Search Results

Recently, a security researcher has warned about a security threat posed by the WhatsApp messenger known as ‘Click to Chat’ this function allows Google to index the phone numbers of users, and all the indexed numbers can be easily found by anyone on the search engine.

The security researcher, who reported about the “Click to Chat” security flaw, Mr. Athul Jayaram cleared that, this flaw allows the sites to quickly initiate the WhatsApp conversations with their visitors.

In short, the function generally works by assigning a QR code to the phone number of the resource owner. 

Here the site visitor just required to scan the QR code or click on the URL, and the dialogue in WhatsApp will begin. Moreover, there is no need to enter a phone number, but when the conversation begins, the user still has access to it.

“Here, the problem is that these numbers then go to Google, as the search engine indexes the metadata of the ‘Click to Chat.’ And then the phone number is included in the URL string (https://wa.me/<phone_number>), which leads to its leak” according to the security researcher, Athul Jayaram. 

In short, it’s one of the lucrative options for the Spammers, as this security hole will allow them to easily create well-structured databases of original phone numbers to use them for their personal malicious campaigns. 

Moreover, Athul clearly announced and reported that he managed to discover about 300,000 valid phone numbers from the search engine, as they are already indexed in Google.

Though the phone numbers are not tied to the names of their owners, but, here the fact is that the attackers can still find out to whom they belong.

If you click on the URL with a phone number in Google’s search results, a user’s profile will open along with the photo. An attacker can use the search in the picture and collect enough data about the potential victim.

WhatsApp Rejected This Bug for Bug Bounty

The security researcher, Athul Jayaram, told WhatsApp about its finding, but the company clearly refused his discovery to consider it as a security flaw. According to a WhatsApp spokesperson, here, the users themselves chose to make their phone numbers public.

Moreover, they have also cleared that the bug bounty program covers the Facebook platforms only, while WhatsApp is just a part of it. Apart from this, here’s what the public mediator of Google, Danny Sullivan said in his Twitter handler:-

https://twitter.com/dannysullivan/status/1230920851849003008

But, still, the security researcher, Athul Jayaram, cleared his views on the flaw and strongly recommended WhatsApp to immediately encrypt the mobile phone numbers of all its users, and append a robots.txt file to forbid the bots from crawling their domain on which this resource is available.

Bug Resolved

WhatsApp has been resolved this issue soon after reported this bug and revealed it online.

WhatsAPP spokeperson said “a WhatsApp spokesperson said that this feature, called Click to Chat, is designed to help users, especially small and microbusinesses around the world connect with their customers.”

“While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button,” 

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles