WhatsApp just fixed a system with which WhatsApp phone numbers were available to view and copy through a simple Google search. All WhatsApp needed to do was change a bit of code to de-index the lot of webpages created by their wa.me system – which they’ve done, this week. Users might never have known that their phone number was made public with this setup – but they might as well have suspected.
When a user works with WhatsApp and uses the systems’s “Click to Chat” feature, they create a URL with “wa.me”. This URL shortener is meant to be shared with friends and customers. It was made to make sharing a WhatsApp user’s phone number (for chatting on WhatsApp), as easy as possible.
It was not immediately clear that using this system would also appear in Google search results. A user would need to search for “site:wa.me” to find results, and when they did, they’d find phone numbers. Sometimes they’d find messages, and sometimes they’d find user images. WhatsApp should have had blocks in place when they first released this system so that search engines would not automatically index all pages.
WhatsApp should also have avoided putting the user’s phone number in the URL for “wa.me” shares. That bit seems to still be active – but isn’t publicly available in any way other than a user sharing said URL to the world themselves.
As a WhatsApp spokesperson shared this week, “While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button.”