HYDERABAD: Facebook-owned WhatsApp, an instant messaging service has numerous attractive features. But, now a bug has been reported in one of the WhatsApp features.
According to the independent cybersecurity researcher Athul Jayaram, a bug has been reported in WhatsApp's Click to Chat feature where the links are generated. This feature doesn't encrypt the phone number in the link as a result the phone number will be visible in plain text, if the links are shared anywhere.
Click to Chat feature allows the users to chat with another user without saving their phone numbers saved in the sender’s address books.
Jayaram in his blogpost said that, “Privacy issue in the WhatsApp web portal that leaked around 29000 to 300000 WhatsApp user’s mobile numbers in plain text accessible to any internet user.”
He stated that the users from the countries United States, United Kingdom, India, etc are affected.
Jayaram also explained that "This privacy issue could have been avoided if Whatsapp encrypted the user mobile numbers as well as by adding a robots.txt file disallowing the bots from crawling their domain and a meta no-index tag on the pages, unfortunately, they did not do that yet and your privacy may be at stake.”
For example, if a user shares a click to chat link with a friend on social media then the mobile number will be visible in plain text in the URL itself and anyone who finds the URL will be able to know the phone number.
Jayaram also said that today all the mobile numbers are linked to Bitcoin wallets, Aadhar, UPI, Credit Cards leading an attacker to perform SIM card, and cloning attacks by knowing the mobile number is another possibility. So, Facebook with such a big user base should care about these vulnerabilities.
He stated that "Through the WhatsApp profile, the profile photo of the user can be seen, and one can do a reverse image search to find their other social media accounts and discover a lot more about a targeted individual."
Jayaram informed Facebook about the issue to which the company reportedly said that data abuse is only covered for Facebook platforms and not WhatsApp.
WhatsApp in a statement said that, “While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button.”