The Click to Chat messenger function “sends” phone numbers to a search engine.
Security researcher Athul Jayaram has warned of a threat posed by the WhatsApp messenger called Click to Chat. According to him, the function allows Google to index the phone numbers of users, and then they can be easily found using a search engine.
Click to Chat allows sites to quickly initiate WhatsApp conversations with their visitors. The function works by assigning a QR code to the phone number of the resource owner. The site visitor just needs to scan the QR code or click on the URL, and the dialogue in WhatsApp will begin. It is not required to enter a phone number, however, when the conversation begins, the user still has access to it.
According to Jayaram, the problem is that these numbers then go to Google because the search engine indexes Click to Chat metadata. The phone number is included in the URL string ( https://wa.me/), which leads to its "leak", the researcher believes. Thanks to this, spammers can easily create databases of valid numbers and use them in their campaigns. The researcher himself discovered about 300 thousand indexed Google phone numbers.
Although phone numbers are not tied to the names of their owners, attackers can still find out to whom they belong. If you click on the URL with a phone number in Google’s search results, a user’s profile will open along with the photo. An attacker can use the search in the picture and collect enough data about the potential victim.
The researcher told WhatsApp about its discovery, but the company refused to consider it a vulnerability, because users themselves chose to make their phone numbers public
Security researcher Athul Jayaram has warned of a threat posed by the WhatsApp messenger called Click to Chat. According to him, the function allows Google to index the phone numbers of users, and then they can be easily found using a search engine.
Click to Chat allows sites to quickly initiate WhatsApp conversations with their visitors. The function works by assigning a QR code to the phone number of the resource owner. The site visitor just needs to scan the QR code or click on the URL, and the dialogue in WhatsApp will begin. It is not required to enter a phone number, however, when the conversation begins, the user still has access to it.
According to Jayaram, the problem is that these numbers then go to Google because the search engine indexes Click to Chat metadata. The phone number is included in the URL string ( https://wa.me/), which leads to its "leak", the researcher believes. Thanks to this, spammers can easily create databases of valid numbers and use them in their campaigns. The researcher himself discovered about 300 thousand indexed Google phone numbers.
Although phone numbers are not tied to the names of their owners, attackers can still find out to whom they belong. If you click on the URL with a phone number in Google’s search results, a user’s profile will open along with the photo. An attacker can use the search in the picture and collect enough data about the potential victim.
The researcher told WhatsApp about its discovery, but the company refused to consider it a vulnerability, because users themselves chose to make their phone numbers public