WhatsApp has now reportedly (via Digital Trends) fixed a bug that caused an endless list of links to WhatsApp users to return a simple Google query. This occurred because WhatsApp had previously opted to build public links to their WhatsApp accounts, which would then be available on Google with a question about “site: wa.me.”
India-based cybersecurity researcher Athul Jayaram first reported the bug, who discovered the privacy issue plaguing the world’s largest instant messaging service. The problem was found in the Click to Chat feature of WhatsApp which allows users to generate a link (https:/wa.me/) which can be shared online.
Unfortunately, this feature does not encrypt the mobile number, and the telephone number is available in plaintext. According to Athul, these wa.me pages did not use noindex meta tags that allowed search engines to index these links and then view queries in search. Also, Athul could restrict its search to a country by adding the country code to the wa.me connection.
A simple Google search with a flaw like this could expose the numbers of vulnerable individuals who could then be threatened with spam and cyber attacks. Users who kept their privacy status to ‘Public’ on WhatsApp were further vulnerable as their profile pictures, name and status would be visible as well.In reality, Athul was able to access the profile photos and names of people who hadn’t kept their profile secret.
WhatsApp landed in a similar controversy earlier this year when Google indexed invitations to WhatsApp group chats which allowed just about anyone to join those groups without any verification.
The parent company of WhatsApp, Facebook, was withdrawing the ability to search for profiles via mobile numbers due to privacy concerns.