Users of WhatsApp’s Click to Chat feature could be sharing more than expected after personal phone numbers were found to be being exposed via public Google search results.
“Click to Chat” is a lesser-known WhatsApp facility that allows website visitors to converse with website operators via the messaging service. For example, if a visitor to an e-commerce site had a query about a listing, they could scan a QR code to be entered into a WhatsApp conversation with the relevant help desk.
Now, security researcher Athul Jayaram is warning that the feature is putting users’ mobile phone numbers at risk — by allowing Google Search to index them for anyone to find.
Click to Chat offers websites an easy way to initiate a WhatsApp chat session with website visitors. It works by associating a QR code image to a site owner’s WhatsApp mobile phone number, allowing a visitor to scan the site’s QR code or click on a URL to initiate a WhatsApp chat session — without the visitor having to dial the number itself. That visitor however still gains access to the phone number once the call is initiated.
The problem, Jayaram said, is that those mobile numbers can also turn up in Google Search results, because search engines index Click to Chat metadata. The phone numbers are revealed as part of a URL string (https://wa.me/<phone_number>) and so, this in effect “leaks” the mobile phone numbers of WhatsApp users in plaintext, according to the researcher’s view.
According to TechCrunch, WhatsApp has now resolved the issue, saying that the feature is designed to help users and microbusinesses around the world connect with their customers.
“While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button,” the spokesperson added.