Athul Jayaram, an independent cybersecurity researcher, has reported in his blog that many WhatsApp number details are available on normal Google search.
He wrote that there is a privacy issue in the WhatsApp web portal that leaked 29000-30000 user’s mobile number in plain text accessible to any internet user.
He wrote that most users are from the United Kingdom, the United States and India. “What makes it easy or simple is that the data is accessible to open web rather than the dark web,” he wrote. The blog was first reported by Threatpost.
Jayaram said that he contacted Facebook to report the issue. However, the social media giant has replied that data abuse is covered only for FB and not for WhatsApp.
READ: https://penbugs.com/i-openly-challenge-stokes-to-dismiss-dhoni-sreesanth/
He said that the issue could have been avoided had WhatsApp encrypted user’s mobile numbers. “With a big user base, they should care about these vulnerabilities. Today your mobile number is linked to Bitcoins, Aadhar, bank accounts, UPI and credit cards leading an attacker to perform sim card swapping and cloning attacks by knowing your mobile number is another possibility,” he wrote.
Jayaraman said that WhatsApp’s click to chat feature has the user’s mobile number in the URL and even after the original tweet is deleted, the data is available on plaintext google search.
He said that adding a robots.txt file would disallow the bots from crawling their domain and meta noindex tag on the pages and because they have not done that the privacy of the user is at stake.
