[UPDATED] PSA: Don’t use this WhatsApp feature if you want to keep your number private

[ UPDATE 11/06/2020 15:17 ]: WhatsApp has since rectified the issue, with phone numbers from Click to Chat no longer indexed in Google Search results. For the full story, click here.

===

If you’ve been using the Click to Chat feature on WhatsApp, this might come as a shock to you. Security researcher Athul Jayaram recently shared that using the feature—widely-used by business accounts on the messaging platform—puts the privacy of your phone numbers at risk. Athul considers the issue to be a bug, although WhatsApp’s parent company Facebook has rejected the researcher’s claim via its bug bounty program.

Regardless, the issue is still one that should concern anyone who uses the feature. The feature is often used by business users such as e-commerce sites, and Athul says that it could lead to potential abuse and fraud from malicious parties.

So, how does it work?

Have you ever been on an e-commerce site, and there’s a prominent button that directly opens a chat on WhatsApp with the merchant/vendor? Or perhaps you’ve seen the Click to Chat button on one of the various property listing websites, where a quick press of a button puts you in contact with a realtor?

Athul says that this very feature puts the privacy of these phone numbers at risk, because the numbers end up being indexed in Google Search results. Google indexes Click to Chat metadata, which means that the numbers can be seen as part of a URL for the Click to Chat function. Eg. https://wa.me/<phone number>

What’s rather worrying is that users who utilise Click to Chat won’t be able to do anything about it, with the private number displayed in full within the URL:

“Your mobile number is visible in plain text in this URL, and anyone who gets hold of the URL can know your mobile number. You cannot revoke it.”

However, it’s worth noting that the public access to these numbers does not extend to the identity of users, only their phone numbers. This is because WhatsApp—unlike many messenger platforms—identifies users by their phone numbers. Users’ profile photos and phone numbers are still accessible, though. Depending on your profile privacy settings, this also means that a perpetrator could do a reverse search with your profile picture, and eventually discover your identity.

This, of course, opens up the door to potential scams and fraud. Access to thousands, if not millions of genuine phone numbers could be sold to malicious parties, and identity theft is also a concern here.

What is WhatsApp doing about this?

Well, WhatsApp actually advertises this as a feature, and to be fair, the FAQ section makes it clear that your phone number will be included in the URL.

“WhatsApp’s click to chat feature allows you to begin a chat with someone without having their phone number saved in your phone’s address book. As long as you know this person’s phone number and they have an active WhatsApp account, you can create a link that will allow you to start a chat with them. By clicking the link, a chat with the person automatically opens. Click to chat works on both your phone and WhatsApp Web.”

Additionally, WhatsApp says that users can simply block unwanted messages easily, and that the numbers have been made public by choice. As such, Athul’s discovery won’t be rewarded with a bounty “since it merely contained a search engine index of URLs that WhatsApp users chose to make public”.

Regardless, for a messaging platform that touts its encryption and privacy measures, this is rather worrying. While there isn’t technically anything sketchy going on here, it’d be wise to be careful when using the Click to Chat feature—especially now that you know that your numbers are indexed for public Google Search.

[ SOURCE ]