According to a new discovery made by a security researcher, users of WhatsApp's Click to Chat feature could see their personal phone numbers exposed via public Google Search results.
Click to Chat is a lesser-known WhatsApp facility that allows website visitors to converse via the messaging service with website operators. For example, if a visitor to an ecommerce site had a query about a listing, they could scan a QR code with the relevant helpdesk to enter into a WhatsApp conversation.

However, according to Athul Jayaram, researcher and bug-bounty hunter, using this feature can land a user's phone number in public search results, opening the door to scams and cyberattacks of all kinds.

-- WhatsApp data privacy --

WhatsApp messaging platform is renowned for its high standards in data privacy, offering end-to - end encryption to all users. This latest discovery suggests however that personal data may not be as private as users might want to think.

The WhatsApp-owned "wa.me" domain, which stores Click to Chat metadata in a URL string (e.g. https:/wa.me/), exposes the user numbers. Since there is no mechanism in place to avoid the indexing of such metadata by search engines, the numbers are potentially published into public search results.

“Your mobile number is visible in plain text in this URL, and anyone who gets hold of the URL can know your mobile number. You cannot revoke it,”Jayaram explained.
“As individual phone numbers are leaked, an attacker can message them, call them, sell their phone numbers to marketers, spammers and scammers.”

Jayaram reportedly uncovered 300,000 WhatsApp numbers which were made public via this process by scouring the domain through Google searches. Clicking through the web page does not disclose the full name of the user, but will reveal the picture of their WhatsApp profile.

Jayaram subsequently reported the problem to WhatsApp owner Facebook via their bug-bounty scheme after making the discovery on May 23.

Nonetheless, the application was refused on the grounds that WhatsApp users are thoroughly monitoring the information attached to their profile which is made available to the public.

"While we appreciate the report from this researcher and value the time it took to share it with us, it did not qualify for a bounty as it only contained a search engine index of URLs that WhatsApp users chose to make public," a WhatsApp spokeswoman said.

"All users of the WhatsApp, including businesses, may block unwanted messages by pressing a button."

However, Jayaram believes that the company should take the disclosure more seriously, because of the scope of attacks that the issue could facilitate.

"Your mobile number today is linked to your Bitcoin wallets, Adhaar, bank accounts, UPIs, credit cards ... [allowing] an attacker to swap SIM cards and cloning attacks is another option," he said.