Click to chat feature is used by various websites to interact with its visitors without the visitors needing to save the WhatsApp number.
WhatsApp number in Google Search: WhatsApp’s ‘Click to Chat’ feature is leaving the phone numbers of users vulnerable to Google indexing, making them appear on Google Search. According to bug bounty hunter Athul Jayaram, the phone numbers of users who use the ‘Click to Chat’ feature on different websites are “leaked” and he calls it a security bug, according to a report on Threatpost. Social media giant Facebook, which owns WhatsApp, however, terms this as “no big deal” according to the report, saying that the search results on Google only reveal the information which the users have chosen to make public, in the first place.
Click to chat feature is used by various websites to interact with its visitors without the visitors needing to save the WhatsApp number. This makes interaction between users and the website owners quick and simple. It can be done via a QR code (developed by a third-party service) or a URL which links to the WhatsApp number of a website owner. This way, the website visitor gets the phone number without having to dial it and save it in the address book.
As per Threatpost, Jayaram has said that those numbers are now vulnerable to having been exposed to Google Search, since Google indexes the metadata produced from this feature. The report said that a URL string reveals the vulnerable phone numbers in plain text.
The report quoted Jayaram as saying that the mobile numbers of such users are available in plain text and anyone who has the URL can access the numbers, with no way to revoke it. Threatpost report further stated that the bug bounty hunter has so far found 3 lak WhatsApp numbers. He said that while only the numbers are available on this URL, the profiles pictures linked to these numbers can also be seen, with the help of which, fraudsters and scammers can run reverse image search to establish the identity of the users. Hence, he said, this feature can lead to abuse, fraud and identity theft due to this security issue.
Jayaram further told Threatpost that while some users were aware that their numbers were public, since they had chosen to make it that way, some others were not aware of the public nature of their numbers. Some even told him that they had set up the click to chat feature so that users could connect to them for their business without their numbers being made public.