The vulnerability is part of WhatsApp 'click to chat' feature
where user can generate link to invite others.
Facebook-owned
instant messaging platform WhatsApp may have exposed its users’ phone number on
Google search owing to a vulnerability in its ‘click to share’ feature. The
mobile numbers of users are available on Google search in plain text format,
according to an independent cybersecurity researcher Athul Jayaram.
“WhatsApp
web portal has leaked around 29,000 – 3,00,000 WhatsApp user’s mobile numbers
in plain text accessible to any internet user. What makes this finding easy or
appears to be simple is that data is accessible on the open web and not on the
dark web,” wrote Jayaram in his blogpost that was reported by Threatpost.
He added, “This
privacy issue could have been avoided if Whatsapp encrypted the user mobile
numbers as well as by adding a robots.txt file disallowing the bots from
crawling their domain and a meta noindex tag on the pages. Unfortunately, they
did not do that yet and your privacy may be at stake.”
Explaining the
issue, Jayaram said that the vulnerability is part of WhatsApp ‘click to chat’
feature where user can generate link to invite others. According to Jayaram,
WhatsApp does not encrypt the phone number in the link, as a result, if the
link is shared anywhere, the phone number is also visible in plaintext.
For example, if a
user shares a “click to chat” link on social media platform, it goes with the
mobile number mentioned on it in. Anyone with access to the link might, therefore,
be able to see the user’s phone number. Moreover, the URLs are accessed by
Google Bots for search indexing. Therefore, the link appears in Google search
results even if the original post has been removed from the source.
No comments:
Post a Comment