Tuesday, December 3, 2024
HomeCVE/vulnerabilityWhatsApp Bug Leaked Personal Phone Numbers in Google Search Results

WhatsApp Bug Leaked Personal Phone Numbers in Google Search Results

Published on

SIEM as a Service

Recently, a security researcher has warned about a security threat posed by the WhatsApp messenger known as ‘Click to Chat’ this function allows Google to index the phone numbers of users, and all the indexed numbers can be easily found by anyone on the search engine.

The security researcher, who reported about the “Click to Chat” security flaw, Mr. Athul Jayaram cleared that, this flaw allows the sites to quickly initiate the WhatsApp conversations with their visitors.

In short, the function generally works by assigning a QR code to the phone number of the resource owner. 

- Advertisement - SIEM as a Service

Here the site visitor just required to scan the QR code or click on the URL, and the dialogue in WhatsApp will begin. Moreover, there is no need to enter a phone number, but when the conversation begins, the user still has access to it.

“Here, the problem is that these numbers then go to Google, as the search engine indexes the metadata of the ‘Click to Chat.’ And then the phone number is included in the URL string (https://wa.me/<phone_number>), which leads to its leak” according to the security researcher, Athul Jayaram. 

In short, it’s one of the lucrative options for the Spammers, as this security hole will allow them to easily create well-structured databases of original phone numbers to use them for their personal malicious campaigns. 

Moreover, Athul clearly announced and reported that he managed to discover about 300,000 valid phone numbers from the search engine, as they are already indexed in Google.

Though the phone numbers are not tied to the names of their owners, but, here the fact is that the attackers can still find out to whom they belong.

If you click on the URL with a phone number in Google’s search results, a user’s profile will open along with the photo. An attacker can use the search in the picture and collect enough data about the potential victim.

WhatsApp Rejected This Bug for Bug Bounty

The security researcher, Athul Jayaram, told WhatsApp about its finding, but the company clearly refused his discovery to consider it as a security flaw. According to a WhatsApp spokesperson, here, the users themselves chose to make their phone numbers public.

Moreover, they have also cleared that the bug bounty program covers the Facebook platforms only, while WhatsApp is just a part of it. Apart from this, here’s what the public mediator of Google, Danny Sullivan said in his Twitter handler:-

https://twitter.com/dannysullivan/status/1230920851849003008

But, still, the security researcher, Athul Jayaram, cleared his views on the flaw and strongly recommended WhatsApp to immediately encrypt the mobile phone numbers of all its users, and append a robots.txt file to forbid the bots from crawling their domain on which this resource is available.

Bug Resolved

WhatsApp has been resolved this issue soon after reported this bug and revealed it online.

WhatsAPP spokeperson said “a WhatsApp spokesperson said that this feature, called Click to Chat, is designed to help users, especially small and microbusinesses around the world connect with their customers.”

“While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button,” 

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

Salesforce Applications Vulnerability Could Allow Full Account Takeover

A critical vulnerability has been discovered in Salesforce applications that could potentially allow a...

TP-Link HomeShield Function Vulnerability Let Attackers Inject Malicious Commands

A significant vulnerability has been identified in TP-Link's HomeShield function, affecting a range of...

ElizaRAT Exploits Google, Telegram, & Slack Services For C2 Communications

APT36, a Pakistani cyber-espionage group, has recently upgraded its arsenal with ElizaRAT, a sophisticated...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Salesforce Applications Vulnerability Could Allow Full Account Takeover

A critical vulnerability has been discovered in Salesforce applications that could potentially allow a...

TP-Link HomeShield Function Vulnerability Let Attackers Inject Malicious Commands

A significant vulnerability has been identified in TP-Link's HomeShield function, affecting a range of...

HPE IceWall Flaw Let Attackers cause Unauthorized Data Modification

Hewlett Packard Enterprise (HPE) has issued an urgent security bulletin addressing a critical vulnerability...