Facebook-owned instant messaging platform WhatsApp may have exposed the phone numbers of around 29K to 3 Lakh users in plain text, accessible to any internet user upon web search. The database includes phone numbers of users from India, UK, US and several other countries.
The incident was first reported by Athul Jayaram, a cybersecurity researcher. He explained that the vulnerability is a part of WhatsApp’s ‘click to chat’ feature which allows users to generate a link for their inbox. The instant messaging app does not encrypt the phone numbers highlighting in the link. Once shared, the phone number is visible in plain text on web search.
Jayaram explained that the generated link also contains the phone numbers associated with the account. Anyone with access to the link is also able to see the user’s phone number. The URL is also picked by Google Bots for search indexing and this is why the number is visible upon research. The link counties to be available on Google search even if the social media post has been taken down. However, the number has been taken down from Google search.
Jayaram added “this privacy issue could have been avoided if Whatsapp encrypted the user mobile numbers as well as by adding a robots.txt file disallowing the bots from crawling their domain and a meta noindex tag on the pages. Unfortunately, they did not do that yet and your privacy may be at stake.”
“This is because https://wa.me do not have a robots.txt file in its server root, which means you cannot stop Google or other search engine bots from crawling and indexing the wa.me links, which means those links will stay in the web. The pages do not have noindex meta tags to prevent any search engines from indexing the links,” he added.
The cyber security researcher had also raised the issue with Facebook, which reportedly said that the “data abuse is only covered for Facebook platforms and not WhatsApp.”
Meanwhile, data of 267 Mn Facebook users had also been up for sale on dark web for around INR 42K, back in April 2020. Threat intelligence platforms, Cyble, highlighted that the database contained email addresses, names, Facebook IDs, dates of birth and phone numbers. The company’s researchers had also purchased the data to verify. This database did not include accounts’ password.