A security researcher warns that Google is indexing the phone numbers of WhatsApp users raising serious privacy concerns.
Click to Chat is a lesser-known WhatsApp facility that allows website visitors to converse with website operators via the messaging service.
For example, if a visitor to an e-commerce site had a query about a listing, they could scan a QR code to be entered into a WhatsApp conversation with the relevant help desk.
However, according to researcher, utilizing this feature can land a user’s phone number in public search results, opening the door to all manner of scams and cyberattacks.
WhatsApp data privacy
Texting service WhatsApp is renowned for its high data privacy standards, offering end-to-end encryption to all users. However, this latest discovery suggests personal data may not be as private as users might think.
Users’ numbers are being exposed by the WhatsApp-owned “wa.me” domain, which stores Click to Chat metadata in a URL string.
Because there is no measure in place to prevent search engines indexing this metadata, the numbers are in effect leaked into public search results.
The “wa.me” or “api.whatsapp.com” domains don’t’ prevent search engines from crawling phone numbers on the website allowing any link like “https://wa.me/” to get indexed by Google.
Experts pointed out that the link to chat feature could be exploited by threat actors to “enumerate” legitimate WhatsApp numbers.