This article is more than 1 year old
Whatsapp blamed own users for failure to keep phone number repo off Google searches
This story also mentions QR codes for maximum facepalm effect
An infosec researcher reckons Whatsapp was a bit too quick off the mark to blame its users when hundreds of thousands of phone numbers, names and profile pictures were found to be easily accessible via Google.
Athul Jayaram, a self-described “full time bug bounty hunter”, published a blog post earlier this week highlighting that a large number of Whatsapp users’ mobile numbers could easily be found by searching Google for the domain “wa.me”.
That domain formed part of Whatsapp’s Click to Chat function. If you, the owner of a Whatsapp account, fancied letting world+dog add you as a new chat contact rather than going through the tedious process of tapping their phone number into yours, digit by digit, you could generate a QR code (yes, one of those things…) for them to do so.
Billed as a feature for businesses wanting to make customer comms easier, Click to Chat QR shortcodes resolved to https://wa.me along with a unique URL string. The unique string just happened to be the full phone number of the user.
“This feature does not encrypt the phone number in the link, as a result, if this link is shared anywhere, your phone number is also visible in plaintext,” said Jayaram in his blog post.
He went on to do some Googling, using the “site:” operator to restrict his searches to the Whatsapp QR code domain, finding what he estimated was around 300,000 phone numbers from a variety of countries including India, America and Great Britain.
It's 2019 and a WhatsApp call can hack a phone: Zero-day exploit infects mobes with spywareREAD MORE
Clearly the right thing to do would have been for Whatsapp to simply set wa.me’s robots.txt file so Google didn’t index the site, something that also occurred to Jayaram. Yet it decided to blame its own users for its privacy screwup, telling Techcrunch that Jayaram’s findings “merely contained a search engine index of URLs that WhatsApp users chose to make public.” A spokesman added to the site: “All WhatsApp users, including businesses, can block unwanted messages with the tap of a button.”
Although Jayaram seemed annoyed that he didn’t earn a bug bounty payout, that isn’t the issue here. Whatsapp has suffered from security and privacy problems in the recent past – some big, some less so, and some downright scary. Facebook, its owner, makes a big deal out of its security features including end-to-end encryption. Technical security is no good if you’re going to let the world’s biggest search engine, run by the world’s biggest advertising technology company, hoover up your users’ phone numbers by exposing them in plaintext on one of your websites.
Although wa.me has since been cleansed from Google, now the whole world and its malicious dog knows where to go to find a nice big repository of active phone numbers for smishing, SIM swapping and all the other ways in which bad people can steal personal and/or financial data starting with an active mobile phone number. Bad people don’t respect robots.txt, after all.
We have asked Facebook for comment and will update this article if the company replies. ®