It seems like we move from one security concern to another. Privacy concerns are now run-of-the-mill and exposure lurks everywhere. It was only yesterday there were rumours that journalists could be monitored on the app.
Athul Jayaram on independent cyber security researcher from India has uncovered a glaring privacy issue with WhatsApps’s Click to Chat feature.
“I have discovered this privacy issue in the WhatsApp web portal that leaked around 29000–300000 WhatsApp user’s mobile numbers in plaintext accessible to any internet user in plaintext. The number of numbers accessible to you may differ due to Google bot crawl daily and its indexes are updated, also the search results vary in google.com, google.co.in and similar regional TLD’s. User’s affected are from United States, United Kingdom, India and almost all other countries. What makes this easy or appears to be simple is that data is accessible on the open web and not on the dark web.”Athul Jayaram.
The “Click to Chat” (Web Portal) feature allows you to communicate with the site’s customer service using WhatsApp.
“Whatsapp uses chat.whatsapp.com to generate group invite links while the Whatsapp Web send message API uses api.whatsapp.com and forwards the request to web.whatsapp.com. Well, WhatsApp does also have a click to chat feature where the links are generated as https://wa.me/. This feature does not encrypt the phone number in the link, as a result, if this link is shared anywhere, your phone number is also visible in plaintext.”Athul Jayaram
Athul Jayaram posted his findings on Medium, in the post he shows how he just had to add the country code to site:wa.me to get random numbers from different countries.
He even reported this error to Facebook because he worked for bug bounty programs, and thought since Facebook prioritised privacy they would look into it. The reply he got which he posts in the same Medium post was that Facebook was not covered by the Data Abuse Bounty Program. He reported this on May 26th.
It’s frightening to think how long this went on. The numbers are no longer listed according to Digital Trends, It seems as though Facebook/WhatsApp have corrected the error but there has been no official word as yet.