Whatsapp blamed own users for failure to keep phone number repo off Google searches

This story also mentions QR codes for maximum facepalm effect

An infosec researcher reckons Whatsapp was a bit too quick off the mark to blame its users when hundreds of thousands of phone numbers, names and profile pictures were found to be easily accessible via Google.

Athul Jayaram, a self-described “full time bug bounty hunter”, published a blog post earlier this week highlighting that a large number of Whatsapp users’ mobile numbers could easily be found by searching Google for the domain “wa.me”.

That domain formed part of Whatsapp’s Click to Chat function. If you, the owner of a Whatsapp account, fancied letting world+dog add you as a new chat contact rather than going through the tedious process of tapping their phone number into yours, digit by digit, you could generate a QR code (yes, one of those things…) for them to do so.

Billed as a feature for businesses wanting to make customer comms easier, Click to Chat QR shortcodes resolved to https://wa.me along with a unique URL string. The unique string just happened to be the full phone number of the user.

“This feature does not encrypt the phone number in the link, as a result, if this link is shared anywhere, your phone number is also visible in plaintext,” said Jayaram in his blog post.

He went on to do some Googling, using the “site:” operator to restrict his searches to the Whatsapp QR code domain, finding what he estimated was around 300,000 phone numbers from a variety of countries including India, America and Great Britain.


It's 2019 and a WhatsApp call can hack a phone: Zero-day exploit infects mobes with spyware


Clearly the right thing to do would have been for Whatsapp to simply set wa.me’s robots.txt file so Google didn’t index the site, something that also occurred to Jayaram. Yet it decided to blame its own users for its privacy screwup, telling Techcrunch that Jayaram’s findings “merely contained a search engine index of URLs that WhatsApp users chose to make public.” A spokesman added to the site: “All WhatsApp users, including businesses, can block unwanted messages with the tap of a button.”

Although Jayaram seemed annoyed that he didn’t earn a bug bounty payout, that isn’t the issue here. Whatsapp has suffered from security and privacy problems in the recent past – some big, some less so, and some downright scary. Facebook, its owner, makes a big deal out of its security features including end-to-end encryption. Technical security is no good if you’re going to let the world’s biggest search engine, run by the world’s biggest advertising technology company, hoover up your users’ phone numbers by exposing them in plaintext on one of your websites.

Although wa.me has since been cleansed from Google, now the whole world and its malicious dog knows where to go to find a nice big repository of active phone numbers for smishing, SIM swapping and all the other ways in which bad people can steal personal and/or financial data starting with an active mobile phone number. Bad people don’t respect robots.txt, after all.

We have asked Facebook for comment and will update this article if the company replies. ®

Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading
  • Internet went offline in Pakistan as protestors marched for ousted prime minister
    Two hour outage 'consistent with an intentional disruption to service' said NetBlocks

    Internet interruption-watcher NetBlocks has reported internet outages across Pakistan on Wednesday, perhaps timed to coincide with large public protests over the ousting of Prime Minister Imran Khan.

    The watchdog organisation asserted that outages started after 5:00PM and lasted for about two hours. NetBlocks referred to them as “consistent with an intentional disruption to service.”

    Continue reading
  • Suspected phishing email crime boss cuffed in Nigeria
    Interpol, cops swoop with intel from cybersecurity bods

    Interpol and cops in Africa have arrested a Nigerian man suspected of running a multi-continent cybercrime ring that specialized in phishing emails targeting businesses.

    His alleged operation was responsible for so-called business email compromise (BEC), a mix of fraud and social engineering in which staff at targeted companies are hoodwinked into, for example, wiring funds to scammers or sending out sensitive information. This can be done by sending messages that impersonate executives or suppliers, with instructions on where to send payments or data, sometimes by breaking into an employee's work email account to do so.

    The 37-year-old's detention is part of a year-long, counter-BEC initiative code-named Operation Delilah that involved international law enforcement, and started with intelligence from cybersecurity companies Group-IB, Palo Alto Networks Unit 42, and Trend Micro.

    Continue reading

Biting the hand that feeds IT © 1998–2022