Facebook-owned WhatsApp has become one of the world’s most popular free messaging and VoIP apps in recent years. The internal phone numbers tied to users have some level of privacy protection; they are not supposed to be visible to those who are not logged into the platform and also not shared with other platform users unless one approves them as a contact. Unfortunately, a data breach has given anyone access to WhatsApp phone numbers via Google search.
By searching using an alternate shortened URL for the service, one can get a list of over 300,000 phone numbers currently in use on the platform.
WhatsApp phone numbers visible through Google search
If one does a site-specific search for the domain “https://wa.me” and enters common dialing prefixes, Google search results return an indiscriminate list of these WhatsApp phone numbers visible in plain text.
Wa.me is a convenience domain that is primarily used for “click to chat” links to user accounts, which let platform users initiate chats with other users whose names are not saved in their contact lists. Businesses often connect this feature to a scannable QR code to quickly provide potential customers with a contact number. Security researcher Athul Jayaram discovered that wa.me does not have the “robots.txt” file that is used to limit the portions of the site that the Google search spiders can index. This file is also missing from the api.whatsapp.com domain that the “click to chat” feature makes use of.
Clicking through any of the Google search results does not necessarily provide any information on the identity of the WhatsApp user, but it does allow anyone logged into the platform to attempt to initiate a chat with these users. This will likely be used for spam purposes or blanket attempts by threat actors, and if WhatsApp users accept these calls or chat requests they might inadvertently provide the other party with some of their identifying information. And though these pages generally do not contain personally identifying information, some were found to include user profile pictures.
Facebook rejected a bug bounty report on this issue and downplayed it, claiming that the only numbers available are those that the owners have opted to make public. The company also claimed that owners of WhatsApp phone numbers have the option to automatically block contact attempts from unknown parties. However, many of the WhatsApp phone numbers revealed in Google search appeared to be standard cellular or landline numbers that spammers and scammers could simply make direct calls to without using the platform.
Jayaram said that some of the private businesses he reached out to about the Google search results were not aware that their WhatsApp phone number was considered to be “public” by the platform. Some may have assumed that since one had to physically visit a business to obtain their QR code, there would not be a way for people to look it up on the internet.
WhatsApp issued a fix for the issue on June 8, which also appears to have prevented indexing by other search engines.
Potential fallout from the WhatsApp data breach
This leak might not appear to be a major issue at first glance. Though over 300,000 WhatsApp phone numbers were leaked, it appears that many of these were already public contact numbers for businesses.
It is impossible to know for certain what the intentions of each of the breached parties was in terms of a search engine index, however. Some businesses (or professionals who work on an independent basis) may have wanted to control who had access to their WhatsApp phone numbers; a QR code to communicate contact information can be used as a means of spam reduction as it adds an extra step that many bulk spammers will not bother to take, particularly if one must visit a physical location or be given a business card to get the code. Compromised individuals face not just the annoyance of unwanted messages, but also the possibility of a SIM swap attack that could give a threat actor access to other online accounts tied to that phone number.
Yinglian Xie, CEO and Co-Founder of DataVisor, points out that the information uncovered through Google search could also contribute to overall business and personal profiles used in identity theft and business email compromise schemes: “In case of data breaches and data leaks, it is not just the exposure to data and subsequent fines that are an issue, it is also the attack on downstream systems. For example, the data is sold on the dark web and subsequently used by fraudsters and crime rings to create synthetic identities that are used in activities like fraudulent loan applications and fake user accounts and account take overs. So, it is not just important to keep the information safe but to also protect these downstream consumer facing applications from being target with synthetic ids.”
It is unclear whether WhatsApp might face potential fines from this breach. It would most likely be up to individual businesses to submit complaints if they did not intend for their WhatsApp phone numbers to be indexed and discoverable by Google search, making some sort of mass enforcement action with blockbuster fines much less likely. WhatsApp is already awaiting a GDPR decision from Ireland’s Data Protection Commission that could turn into a massive penalty, as the company is being probed for improper sharing of customer data with parent company Facebook.