WhatsApp Is Leaking User Phone Numbers In Google Searches And Customizable Verification Codes
The crazy train that is WhatsApp
, which is still developing, other issues have popped up simultaneously. It appears that Google is indexing a WhatsApp subdomain that can share users’ phone numbers. Furthermore, there are also other issues with WhatsApp that scammers can use to social engineer people, as we are just now learning. This is an absolute nightmare for privacy and security again, and should concern every WhatsApp user at present.
Last year, WhatsApp had chat invite links indexed
on Google, meaning they were searchable by anyone who knew what to look for. The search techniques could be adapted to then extrapolate more phone numbers from the WhatsApp platform. Now, this is happening again but on a different WhatsApp subdomain, web.whatsapp.com. With a simple Google search using patterns, search terms, and tricks, anyone can find a phone number from web.whatsapp.com. This was found by security researcher Rajshekhar Rajaharia who tweeted out his findings shown below.
When we reached out for comment, we also learned more about his findings. It seems that WhatsApp has a text file in place which should stop Google from indexing its websites, but that does not appear to be working. Clearly, however, WhatsApp is not monitoring its subdomains either, which is another issue in and of itself.
This time, @WhatsApp is actually using a “Robots.txt” file and a “disallow all” setting, so they are instructing @Google not to index anything. Google is still Indexing.#InfoSec
— Rajshekhar Rajaharia (@rajaharia) January 15, 2021
Furthermore, while publicly available phone numbers are bad, it gets worse. Rajaharia reported on a website from WhatsApp that spews verification codes that are customizable by whoever visits the website. When you pair the leaked phone number with a fake verification code, scammers can act like WhatsApp employees by texting a link to users and then reading the verification code to the customers as if they see it in the backend. Evidently, this is an issue in India, but it could spread to more technically illiterate users globally.
Overall, users need to be worried about their safety and privacy on the WhatsApp platform. WhatsApp should have learned the first time this happened in 2020 and improved, but that is not the case. Perhaps that is why so many people are flocking to rival Signal
at the moment...