Thursday, March 28, 2024

WhatsApp Bug Leaked Personal Phone Numbers in Google Search Results

Recently, a security researcher has warned about a security threat posed by the WhatsApp messenger known as ‘Click to Chat’ this function allows Google to index the phone numbers of users, and all the indexed numbers can be easily found by anyone on the search engine.

The security researcher, who reported about the “Click to Chat” security flaw, Mr. Athul Jayaram cleared that, this flaw allows the sites to quickly initiate the WhatsApp conversations with their visitors.

In short, the function generally works by assigning a QR code to the phone number of the resource owner. 

Here the site visitor just required to scan the QR code or click on the URL, and the dialogue in WhatsApp will begin. Moreover, there is no need to enter a phone number, but when the conversation begins, the user still has access to it.

“Here, the problem is that these numbers then go to Google, as the search engine indexes the metadata of the ‘Click to Chat.’ And then the phone number is included in the URL string (https://wa.me/<phone_number>), which leads to its leak” according to the security researcher, Athul Jayaram. 

In short, it’s one of the lucrative options for the Spammers, as this security hole will allow them to easily create well-structured databases of original phone numbers to use them for their personal malicious campaigns. 

Moreover, Athul clearly announced and reported that he managed to discover about 300,000 valid phone numbers from the search engine, as they are already indexed in Google.

Though the phone numbers are not tied to the names of their owners, but, here the fact is that the attackers can still find out to whom they belong.

If you click on the URL with a phone number in Google’s search results, a user’s profile will open along with the photo. An attacker can use the search in the picture and collect enough data about the potential victim.

WhatsApp Rejected This Bug for Bug Bounty

The security researcher, Athul Jayaram, told WhatsApp about its finding, but the company clearly refused his discovery to consider it as a security flaw. According to a WhatsApp spokesperson, here, the users themselves chose to make their phone numbers public.

Moreover, they have also cleared that the bug bounty program covers the Facebook platforms only, while WhatsApp is just a part of it. Apart from this, here’s what the public mediator of Google, Danny Sullivan said in his Twitter handler:-

https://twitter.com/dannysullivan/status/1230920851849003008

But, still, the security researcher, Athul Jayaram, cleared his views on the flaw and strongly recommended WhatsApp to immediately encrypt the mobile phone numbers of all its users, and append a robots.txt file to forbid the bots from crawling their domain on which this resource is available.

Bug Resolved

WhatsApp has been resolved this issue soon after reported this bug and revealed it online.

WhatsAPP spokeperson said “a WhatsApp spokesperson said that this feature, called Click to Chat, is designed to help users, especially small and microbusinesses around the world connect with their customers.”

“While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button,” 

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles