Author Topic: Google's indexing of WhatsApp numbers raises privacy concerns  (Read 108 times)

Offline javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35126
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com
Google is indexing the phone numbers used on WhatsApp, and a researcher is concerned that it could cause privacy issues or be used for malicious purposes.

Earlier this year, Bleeping Computer reported how invite links to private groups of messaging apps like WhatsApp and Telegram were visible on Google, letting anyone join the groups.

This week, security researcher Athul Jayaram highlighted an issue with WhatsApp’s “wa.me” domain “leaking” contact phone numbers on Google.

The 'wa.me' domain is owned by WhatsApp and is used to host 'click to chat' links that "allows you to begin a chat with someone without having their phone number saved in your phone's address book."


WhatsApp phone numbers indexed in Google

As stated by Jayaram and confirmed by BleepingComputer, there is no “robots.txt” file on “wa.me” or “api.whatsapp.com” domains that instructs search engines not to crawl phone numbers on the website.

As a result, the links which start with “http://wa.me/” get indexed by Google and other search engines and appear in search results.

"As individual phone numbers are leaked, an attacker can message them, call them, sell their phone numbers to marketers, spammers, scammers," Jayaram told Threatpost, who broke the story.

When clicked, these links redirect to an “api.whatsapp.com” page enabling a user to “continue chat” with the WhatsApp user.

While this could be a potential privacy issue, especially if spammers can get their hands on legitimate WhatsApp numbers being indexed by Google and text you directly on WhatsApp, this isn’t necessarily a bug.

As a test, I created the fake http://wa.me/11111 link using a fake phone number.

As you can see below, this redirected me to the api.whatsapp.com/send?phone=11111 link, as shown below. This link showed the same landing page, giving off the impression as if the number was a valid WhatsApp contact, even when it wasn’t.


Fake WhatsApp click to chat link

This means spammers can’t simply exploit this feature to “enumerate” legitimate WhatsApp numbers.

Perhaps it is for that reason that Facebook had rejected the bug bounty report filed by Jayaram on the issue:

“While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button,” Jayaram told Threatpost.

Additionally, it is worth noting that entire directories of legitimate phone numbers, regardless of whether they have had a WhatsApp/Telegram account, are posted on the web.

This practice has been going on for decades-long before messaging apps even existed and allowed Google to index the numbers.


Phone number directories indexed in Google

Therefore, publishing a mere phone number on the web does not automatically link to personally identifiable information or passwords.

Jayaram still feels that the public indexing of phone numbers can be a security risk or privacy risk, as so many of our online services are tied to our phone numbers.

The researcher recommends that WhatsApp use a robots.txt file in their domains, preventing Google from crawling these results, and also to encrypt user's mobile numbers.

“Unfortunately they did not do that yet, and your privacy may be at stake,” he said. “Today, your mobile number is linked to your Bitcoin wallets, Adhaar, bank accounts, UPI, credit cards…[allowing] an attacker to perform SIM card swapping and cloning attacks by knowing your mobile number is another possibility," Jayaram stated.

It is not entirely clear what is meant by “encrypting” mobile numbers in this context, but it could be to obfuscate the numbers with randomized strings, such as this one bit.ly URL http://bit.ly/2Mxb5Hp, which redirects to BleepingComputer.

Unfortunately, at this time, WhatsApp does not provide a way to make your phone number private.

Those who are concerned about it being indexed should get a virtual phone number from Google Voice or another similar service.

source