Using WhatsApp’s Click To Chat feature could land personal phone numbers in public search results. Click to Chat is a feature which allows users to begin a chat with someone without having their phone number saved in the phone’s address book. Instead, users create a link or QR code that will allow the start of a chat with another user or business instead.
WhatsApp is known for its high data privacy standards and end-to-end encryption for users, but the WhatsApp-owned “wa.me” domain, which stores Click To Chat metadata in a URL string (e.g. https://wa.me/
Researcher Athul Jayaram reportedly scoured the domain using Google searches and found 300,000 WhatsApp numbers. Results did not uncover the full names of users but did include their WhatsApp profile pictures. Jayaram reported the issue to their parent company, Facebook via its Bug Bounty Program.
His application was reportedly dismissed because users have oversight of the information on their profile that is made publically available. “While we appreciate this researcher’s report and value the time he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public,” said a WhatsApp spokesperson.
When it comes down to it, this issue can only occur if users create a link to their profile using ‘Click To Chat.’
A similar issue was identified previously with links to WhatsApp Group chats. Google later changed its search engine systems to block the group chat links from its results, though those links can still appear elsewhere. With more than 2 billion WhatsApp users worldwide, it is the most popular messaging app used around in 180 countries globally.
Created in 2009 by Yahoo! computer programmers Brian Acton and Jan Koum, Facebook purchased WhatsApp Inc. in February 2014 for $19.3 billion.