A security researcher revealed an oddity in the way WhatsApp allows smartphone numbers to be listed on Google. It’s not ALL phone numbers that’ve been used to gain access to WhatsApp, but those that’ve conversed with website operators. If you’ve never spoken to anyone on WhatsApp except for the people you know personally, you’re probably not subject to this relative break in security on the platform.
According to security researcher Athul Jayaram, this situation is known to WhatsApp leadership but is not considered – by them – to be a security issue at all. It has to do with the WhatsApp QR code feature launched earlier this year.
WhatsApp previously released group invite links that work differently from the new QR code feature. The group invite link system that appears to be effectively secure. The QR code system uses the URL shortening system at http://wa.me/ which does not use encryption to hide the user’s phone number in its link.
When a user shares a QR code with this new system, if that URL is shared in any sort of place that a Google bot might crawl, it can potentially be indexed and shown in Google search results. If a user wishes to seek out and find thousands of phone numbers that’ve been inadvertently listed by WhatsApp, all they’d need to do is search “site:wa.me” and a country code in quotes.
At the point at which this article is set to publish, a search for “site:wa.me” reveals more than 30-thousand results. The vast majority of these links includes WhatsApp-connected phone numbers in plain text. Some results include messages sent in WhatsApp conversations through the wa.me system. UPDATE: It would also appear that this sort of Google search also turns up thousands of results for “site:api.whatsapp.com” – but unless WhatsApp sees this as an issue, it’ll likely continue to expand.