The phone numbers of many WhatsApp users are accessible through Google search results, according to independent cybersecurity researcher Athul Jayaram.
In a blog post published on the issue, Jayaram states that up to 30,000 WhatsApp user’s mobile numbers are accessible to any Internet user in plaintext through a simple Google search.
The number of exposed mobile numbers will differ depending on the Google bot’s most recent web crawl and the user’s region, he said.
“Users affected are from United States, United Kingdom, India, and almost all other countries,” Jayaram added.
This privacy issue stems from WhatsApp’s Click to Chat feature, which allows WhatsApp users to share their mobile number using a QR code or custom URL.
Other people can then scan this QR code or visit this URL to add this user as a contact.
The Click to Chat URL does not have a robots.txt file or “noindex” HTML meta tags, which means that Google crawls the website and indexes the pages in its search results.
Jayaram said this could result in unknown users such as cybercriminals, fraudsters, and direct marketers contacting you without permission.
Additionally, if your WhatsApp profile is set to public, they will be able to view your profile picture, name, and status.
Jayaram contacted Facebook regarding this issue last month via the company’s bug bounty programme, but was subsequently rejected.
He claimed that Facebook said that data abuse was covered by the bug bounty programme only for Facebook platforms and not WhatsApp.
Speaking to Threatpost, however, Facebook said that WhatsApp did fall under the company’s bug bounty programme.
“While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public,” Facebook said.
“All WhatsApp users, including businesses, can block unwanted messages with the tap of a button,” he said.