The WhatsApp has become the number one mobile messaging app, as Facebook has tried to make it more than just a tool that allows users to chat from Android and iOS.
Click to Chat, for example, allows two of its accounts WhatsApp get in touch with each other using a QR code or a custom URL.
This feature is supposed to be used by businesses to allow their customers to communicate directly, as Click to Chat only requires a scan of a QR code to start a messaging session without even knowing the other party's phone number.
However, the phone number is revealed as soon as the conversation starts because the QR code and URLs include this information because Click to Chat could not link the two accounts otherwise.
Security researcher Athul Jayaram has discovered that this feature exposes users' phone numbers as they could be indexed by Google due to the way QR is created.
Basically, it's all due to the metadata included in the QR code or the custom URL which, as mentioned above, includes phone numbers. The WhatsApp uses a public domain called wa.me for the whole subject and just the Google start crawling the pages hosted there, it will have all the Click to Chat links created along with the phone numbers.
Essentially, the Google can read phone numbers and then index them, making it possible for everyone to find out a specific phone number.
It may not seem like much at first, but as the researcher explains in an analysis that published at Threatpost, malicious users could collect far more information than they currently collect. For example, once a malicious user seizes someone's phone number, they can access their profile picture in WhatsApp and then use the photo to search for other information on social media to associate it with more accounts and therefore receive additional information.
OR WhatsApp, on the other hand, said that the users themselves decide if they want to share any information.
"While we value this researcher's report and appreciate the time he / she took to share it with us, it does not qualify for the bug bounty, as it simply contained a search engine index with URLs chosen by its users WhatsApp to make public. All its users WhatsApp", including businesses, can block disclosure at the touch of a button," said a company spokesman.
At the same time, the Google states that it only indexes public pages and only webmasters can remove URLs.