Google is indexing the phone numbers of WhatsApp users that could be abused by threat actors for malicious activities.
Even if Google Search only revealed the phone numbers and not the identities of associated users, ill-intentioned attackers could be able to see users’ profile pictures on WhatsApp and performing a reverse-image search the user’s profile picture to gather additional info on the potential victim (i.e. mining social media accounts where the victim use the same profile picture).
Earlier this year, the Deutsche Welle journalist Jordan Wildon, noticed that invite links for WhatsApp and Telegram groups that may be intended for private access were available through search engines.
These links could be abused by threat actors to join the group.
Now security researcher Athul Jayaram discovered a data leak with WhatsApp’s ‘wa.me’ domain that was revealing contact phone numbers on Google.
The ‘wa.me’ domain is used to host ‘click to chat‘ links that allow users to start a chat with someone without having their phone number saved in the phone’s address book.
To create the click to chat links, use https://wa.me/<number> where the <number> is a full phone number in international format.
Jayaram demonstrated that it is quite easy to find phone numbers of WhatsApp users online leaked by ‘wa.me.’
The “wa.me” or “api.whatsapp.com” domains don’t’ prevent search engines from crawling phone numbers on the website allowing any link like “https://wa.me/” to get indexed by Google.
“As individual phone numbers are leaked, an attacker can message them, call them, sell their phone numbers to marketers, spammers, scammers,” Jayaram told ThreatPost.
Experts pointed out that the link to chat feature could be exploited by threat actors to “enumerate” legitimate WhatsApp numbers.
Jayaram reported the issue to Facebook that did not accept it as part of its bug bounty program.
“While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button,” Facebook replied to Jayaram
The solution to the problem is quite simple, using a robot.txt in the above domains it is possible to prevent Google from crawling these results.
“Unfortunately they did not do that yet, and your privacy may be at stake,” he said. “Today, your mobile number is linked to your Bitcoin wallets, Adhaar, bank accounts, UPI, credit cards…[allowing] an attacker to perform SIM card swapping and cloning attacks by knowing your mobile number is another possibility,” Jayaram stated.
(SecurityAffairs – Whatsapp, privacy)