A researcher is warning that a WhatsApp feature called “Click to Chat” puts users’ mobile phone numbers at risk — by allowing Google Search to index them for anyone to find. But WhatsApp owner Facebook says it is no big deal and that the search results only reveal what the users have chosen to make public anyway.
Bug-bounty hunter Athul Jayaram, who discovered the issue, calls the phone numbers “leaked” and characterizes the situation as a security bug that puts WhatsApp users’ privacy at risk.
Click to Chat offers websites an easy way to initiate a WhatsApp chat session with website visitors. It works by associating a Quick Response (QR) code image (created via third-party services) to a site owner’s WhatsApp mobile phone number. That allows a visitor to scan the site’s QR code or click on a URL to initiate a WhatsApp chat session – without the visitor having to dial the number itself. That visitor however still gains access to the phone number once the call is initiated.
The problem, Jayaram said, is that those mobile numbers can also turn up in Google Search results, because search engines index Click to Chat metadata. The phone numbers are revealed as part of a URL string..., this in effect “leaks” the mobile phone numbers of WhatsApp users in plaintext, according to the researcher’s view.
WhatsApp describes Click to Chat as a convenience perk, allowing users to begin a chat with someone without having their phone number saved in their phone’s address book.
“Our Click to Chat feature, which lets users create a URL with their phone number so that anyone can easily message them, is used widely by small and microbusinesses around the world to connect with their customers,” a WhatsApp spokesperson told Threatpost.