WhatsApp's Click to Chat feature was recently found to be leaking thousands of personal phone numbers on the open web. Phone numbers of the affected WhatsApp users were available on the web in plain text and were accessible through a simple Google search.
This potentially allowed complete strangers to find your number and then text or call you. Depending on your Whatsapp privacy settings, they could also get your profile picture, name, and profile status. This could lead to marketing executives, cybercriminals, and fraudsters targeting you. Or, in the worst case, lead to identity theft.
Athul Jayaram, an independent security researcher from India, recently discovered this "privacy issue" on WhatsApp. He said the issue may have exposed phone numbers of nearly 300,000 WhatsApp users around the world. People could also search for numbers from specific countries by using the country code.
Athul reported the issue to Facebook using the bug-bounty scheme. While the company has acknowledged and fixed the issue, his application was dismissed as "it merely contained a search engine index of URLs that WhatsApp users chose to make public."
"All WhatsApp users, including businesses, can block unwanted messages with the tap of a button," a WhatsApp spokesperson said, suggesting that it wasn't that big an issue. Nevertheless, the issue has been patched and phone numbers of WhatsApp users are no longer searchable on the web.
How the Click to Chat feature on WhatsApp works?
The Click to Chat feature on WhatsApp has been around for a long time now. This feature makes it possible for individual users or businesses to create a link through which people can send them a message on WhatsApp without having to save their phone number. They can simply click on the URL—
wa.me/<phoneNumber> — and start chatting.
However, some minor lapses in this feature mean it ended up exposing phone numbers of users on the web. Firstly, the links store phone number data in plain text, and not in an encrypted form. So if you share the link on a public platform, anyone who can see the link already has your phone number.
This would still be fine had Facebook used the "noindex" metadata on the web pages associated with those links. The
https://wa.me URL also does not have a "robots.txt" file in its server root. This means Facebook could not stop Google or other search engines from crawling and indexing such Click to Chat links.
As a result, phone numbers of around 300,000 WhatsApp users who used the Click to Chat feature ended up on the publicly accessible web.
Athul said some users have their messages leaked as well. They "probably used the Web API to communicate and those links got crawled" by search engines.
Of course, it was a low-risk issue for many users. However, as Athul said, Click to Chat users were unaware that their phone numbers could be found with a simple Google search. Thankfully, they can't be anymore.
However, if you have used the Click to Chat feature in the past and shared the links on public platforms, you might want to delete those in order to avoid unwanted messages. You can also change your WhatsApp number and make your profile picture visible only to your contacts.