WhatsApp users were warned about a worrying glitch earlier this week that could end up exposing personal phone numbers in Google’s very public search results. The shocking issue, which was discovered by researcher Athul Jayaram, affected users who joined conversations via the “Click to Chat” feature.
This option is aimed at making it faster for users to connect more quickly by producing a short URL which can be shared without needing to add people to contacts on a phone. This feature has been especially useful for businesses trying to keep in touch with customers but it appears that using it comes with a hidden flaw that leads to phone numbers then being published on the web.
WhatsApp was clearly worried about the implications of this issue and has now pushed out a fix which should stop it ever happening again.
In a statement, a WhatsApp spokesperson said: “While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button.”
Jayaram said that WhatsApp users’ phone numbers appeared in search results because the Facebook-owned firm did not direct Google and other search engines to ignore indexing these links – something that has now been addressed.
Although it has been rectified, some experts have expressed their concern at this glitch with Jake Moore, Cybersecurity Specialist at ESET saying: “WhatsApp is an easy-to-use communicating platform, but it doesn’t have privacy at the heart of the app. Although this flaw has been patched, it highlights the lack of privacy and protection of its users.
“Bad actors are very clever at using minimal information to target their victims. With just a simple phone number and a link to a chat group, there’s a chance the victim could be manipulated into a targeted smishing attack where they are coerced into offering over more personal details, such as bank account details.”
This isn’t the first time that WhatsApp has been under the spotlight for revealing data on Google. Earlier this year, it was found that private WhatsApp group chats can be discovered with a quick Google search.
Conversations with friends or family can be unearthed by the search engine – with users then able to request to join the chat.
Once someone becomes part of a WhatsApp group chat, they will be to access the phone numbers of every member. As such, it’s possible someone who stumbles across the link to the conversation in a Google search could soon find themselves with access to dozens of private mobile numbers.
The ability to join WhatsApp group chats from Google searches arose when the Facebook-owned company started to offer the ability for users to share an invite link. This unique URL is designed to allow users to widely share a shortcut to join groups – so you can send out the link at the bottom of a newsletter or company email and avoid the laborious process of adding members one-by-one using their mobile number.
“Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users,” a spokesperson for the company said.
“Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.”
Published at Thu, 11 Jun 2020 06:17:00 +0000