WhatsApp users who used the Click to Chat feature in the app unknowingly had their phone number appear in Google’s search results. An estimated amount of 300.000 phone numbers of WhatsApp users worldwide were published online.
Cybersecurity expert Athul Jayaram discovered the problem after he noticed that Click to Chat generated a link in which the creator’s phone number was not encrypted. In contrast to scanning a WhatsApp generated QR code, which allows users to add each other.
Sharing such a Click to Chat link (via Twitter, for example) would mean that a Google bot could find the url and include it in the search results. Even if the tweet is later removed. The domain (https://wa.me) did not contain a robots.txt-file in the root, which allowed bots from companies like Google to copy the URLs without any problems.
According to Jayaram, at the time of detection, 300.000 accounts with attached phone numbers could be viewed. Depending on the settings in WhatsApp, full names or profile images were also published.
Facebook (owner of WhatsApp) initially patched part of the problem, filtering the wa.me-url from search results and deleting existing results. Only after it was pointed out that api.whatsapp.com still appeared in the results (including phone numbers), a second fix was rolled out that fixed the problem.