Days after a security researcher found thousands of phone numbers tied to WhatsApp accounts indexed on Google Search, the search engine has stopped showing data from the wa.me URL. The researcher had claimed chat links generated via WhatsApp’s “click to chat” feature are available with just a simple Google search and numbers were showing in plain text, a potential “privacy issue”.
The individual chat links are generated using WhatsApp’s “click to chat” feature, which allows users to start a chat with someone without having to save their number in their phone’s contacts list or phone book. The feature is often used by businesses to help their customers connect with them on WhatsApp just by clicking on a simple click.
Users who do not want their mobile numbers to pop up in Google Search, could avoid using the “click to chat” feature for now. Those already using the feature, should delete any such direct chat links from publicly accessible websites and Social Media platforms.
Security researcher and bug bounty hunter Athul Jayaram, who discovered the issue, is calling it a security bug that puts WhatsApp users’ privacy at risk, but WhatsApp owner Facebook that it not a bug and the search results only reveal what the users have chosen to make public.
The research says that the publicly accessible WhatsApp mobile numbers could trigger identity theft. He also maintained that “click to chat” users are unaware that their Phone Numbers are being stored in plain text and could be found with a simple search query.
Jayaram claimed he contacted Facebook regarding the issue via its bug-bounty program but was told data abuse is only covered for the Facebook platform and not for WhatsApp. However, a WhatsApp spokesperson said WhatsApp is part of the data-abuse bounty programme, but his find did not qualify for a bounty since it “merely contained a search engine index of URLs that WhatsApp users chose to make public”.
While the debate on whether WhatsApp numbers showing up on Google Search is a bug or not in on, Jayaram recommends WhatsApp to add a “robot.txt” file to the “wa.me” domain and the related “api.whatsapp.com” domain to prevent them from being indexed by Google. Meanwhile, the wa.me site is not indexed on Google anymore.
Meanwhile, “api.whatsapp.com” is still showing WhatsApp “click to chat” links with user mobile numbers. Jayaram shared the screenshot and tweeted if a fix will be issued for “api.whatsapp.com” just like they did for “wa.me”.
Earlier this year, it was revealed that private WhatsApp group invite links can be found with a simple Google Search over the internet, thus allowing anyone to infiltrate a WhatsApp group and extract details of group members. Facebook initially denied the issue being a fault but acknowledged it later on and issued a fix as well.