WhatsApp fixes a flaw that made phone numbers of users public
A WhatsApp vulnerability that allegedly left the phone numbers of around 300,000 people exposed has now been fixed.
The loophole was within the Click to Chat feature which streamlines conversations. It was first revealed by the WhatsApp-focused website WaBetaInfo and later reported by security researcher Athul Jayaram.
The feature lets users create a wa.me/ URL that can be shared with friends and prospective customers to initiate a chat or join a group, without requiring them to save a phone number first.
WhatsApp should have asked Google and other search engines to not index these links. Except that it didn't and that's why all it took was a “site:wa.me” search for phone numbers of some WhatsApp users to show up in search results. Some searches even turned up messages and images.
WhatsApp has now de-index the associated webpages. Phone numbers still remain a part of the short URL, but they will not be indexed by crawlers.
Facebook says it was aware of the issue already
This was no minor flaw and goes as far back as February. Facebook claims it was already working on it when Jayaram escalated it and that the phone numbers he stumbled upon were probably old results cached by Google.
Here is what a WhatsApp spokesperson said on the matter:
Regardless of what Facebook says, the nowp-fixed flaw is not a good look for a company whose CEO was summoned to Congress over privacy lapses.