WhatsApp says it has fixed an issue that meant some users’ phone numbers were showing up unintended in Google search results. Researcher Athul Jayaram posted about the flaw on 7 June, saying “his privacy issue in the WhatsApp web portal that leaked around 29000–300000 WhatsApp user’s mobile numbers in plaintext accessible to any internet user”.
This was down to the behaviour of WhatsApp’s Click to Chat feature where users can start conversations with people using a phone number but without saving the phone number in their contacts. It creates a link via which you can open a new chat.
Jayaram found that it was possible to expose phone numbers from Click to Chat by running a search for “site:wa.me”.
In a statement to TechCrunch, a WhatsApp spokesperson said:
“While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button.”
The spokesperson went on to say that WhatsApp made a change that stopped web crawlers from indexing the link data, stopping the flaw. The issue arose from the fact people using Click to Chat were unaware that the process made the phone numbers public, which WhatsApp had not made clear enough in the set up process.