WhatsApp Problem: Phone Numbers Could be Leaked to Google Search

More than 300 thousand phone numbers of WhatsApp users went public in search systems. So if thieves, drug dealers, money laundering companies found out your number, you can have no doubt who tried so hard for you. And the reason for this is the alternative WhatsApp domain, which was stupidly configured incorrectly.

The point is that over the years, the promoted WhatsApp platform, which is owned by Facebook, has become one of the most used. Of course, the free messaging app is very handy. And although according to the creators, there is protection there, in fact, it is scanty. The level of confidentiality of the internal numbers that belong to you, your dad, and your brother is poor.

On a good level, your phone cannot be recognized by someone who does not use WhatsApp, and those who are not in your contact lists cannot receive it. But here everything worked out differently. The massive data leak has led to the fact that everything went to hell, including the fact that our numbers can now be seen by any company from the one that rubs in the napkins for the heels to the one that lures large sums over the phone. So friends, be careful.

And now a little more about the domain itself. If you use a shortened version of the URL, you can reach the 300,000 WhatsApp contacts who use the platform.

If you start searching the site for such a domain as “https://wa.me”, then all phone numbers will simply creep out in a Google search engine.

The domain wa.me itself is used so that you can contact one of the users in one click. This helps different platform members to contact each other even if they are not on each other’s contact list.

Often this option is used by various companies, and they need to scan a QR code to get access to the numbers. But for some reason, WhatsApp suddenly forgot about the security system and decided to take a risk, not wanting to soar over protection. However, their mess did not go unnoticed.

Renowned security expert Atul Jayaram made such a clever WhatsApp lot known to the general public. Jayaram proved that this domain does not own the robots.txt file, which is responsible for the confidentiality of the information and limits some of the processes on the site, which can then be found on Google. Since this was not done, accordingly, all information poured out like a sewer. He also failed to find this necessary file in api.whatsapp.com, where they use the one-click chat.

Of course, Google will not give direct detailed information about the person. However, having received your number, anyone who entered the platform can start a conversation with you. And then google your photo, find you on social networks, or dig into your resume. In general, it will not be difficult to reach you after finding out your phone number. Oftentimes, the numbers of companies looking for a customer base are clogged. Some criminal groups start sending out spam or even threats and calling day and night. And this can turn into real terror. Then the only thing you can do is change your number. But you are never immune from subsequent incidents.

Such WhatsApp bugs are very costly to their users, especially when it comes to some serious showdown.

But such an important investigation of Mr. Jayaram was stupidly ignored by Facebook. And it did not reward him for such a careful remark about the error. After all, trying to get rid of the platform, soon it may lose its former reputation. What a security expert noticed has a significant impact on users and their security. If it is not there, sooner or later someone will raise a storm. The company itself replied to Jayaram that the owners made their numbers and photos available, so there is nothing wrong with Google seeing them. But this is an outright lie. Since we are talking about a massive leak of information from one source to another. One company lends its database to others. This is a tough blow to privacy. Besides, WhatsApp representatives began to protect themselves by the fact that their users can block fraudsters if they deem it necessary. 

However, such a feature will not work with landline phones, where they will play without interruption. But we still do not understand why the company would allow this? This is tantamount to saying that if you come across a fly in a salad in a restaurant, you just throw it away. We are sure that after that some of the users, for whom safety standards are especially important, simply change the means of communication. And such stubbornness of the company will simply fail.

According to Jayaram, not all companies were aware that their WhatsApp numbers for the platform were public and could be easily found in Google search results. And some of the companies believed that for the QR code you need to come directly to the company, and not just find it in the first Google link.

What’s behind the massive WhatsApp leak?

It may seem to someone that the leak of contacts from the platform to other databases is okay, especially for those who did not try to hide their number. Just think of some 300 thousand subscribers. However, if you think about it, the numbers are shocking. And this even though WhatsApp itself is used in 180 countries, by about 2 billion users. And if this trend continues, the leak will be even more significant.

Also, we certainly cannot say that all the phone numbers were public and were not afraid of disclosing their information. After all, if this is not the case, then in fact such WhatsApp actions can be called hacking. All data that the user could have kept secret will end up in an open search engine. Indeed, often companies or individuals do not want to advertise their number and choose only a narrow audience for this, and also constantly monitor the availability of their number. This part of the audience will not like such a flaw from WhatsApp.

But regarding the QR code, this is an additional obstacle for scammers. After all, not all spam lovers are ready to take many actions to send it out. Most likely it will be stupid for them to follow the link. If there is no code and no such link, it is much easier to send any nonsense to anyone. This is exactly what various cybercriminals are doing on the Internet.

So the QR code is a kind of sieve so that only those who are interested and are not looking for easy ways can use it. Those who are hacked are often discovered by billions of stupid messages with different advertising texts or even some kind of absurd nonsense.

But it would be okay if using the number, the scammers could not take possession of the SIM card or change it. Then the victim of this scam will have a hard time. Indeed, in this situation, we can talk about larger hacks, for example, passwords from online banking, to which a number or other accounts are linked. And here we can already talk about theft for large sums.

DataVisor co-founder and CEO Yinglian Xie argue that Google’s results for WhatsApp accounts can have serious business implications. So, this is access to business accounts, as well as personal profiles of companies. Besides, one of the most common schemes is using such a trick to access personal data and company e-mail, information from which can then be used as compromising evidence. Such massive data breaches can destroy entire businesses or blackmail them to gain profit. Yinglian Xie shocks with possible consequences:

All this will not end with a massive leak of classified information and a series of fines. Further, successive hacker attacks on subordinate systems will begin. This means that if the data is on the dark web and has already been put up for sale, it will be bought by scammers and various criminal authorities engaged in hacking. Then they artificially create special identification bases, and with their help, subsequently, they successfully take loans and loans. And sometimes they even simply duplicate user records and hijack their accounts. Therefore, it is very important to use secure versions of the application and to have good protection on your phone or computer.

Just a couple of years ago, WhatsApp had another equally dire problem. So, if a hacker called you via video, then he had every chance to take possession of absolutely any information from your phone, from personal messages to photos and videos.

As soon as the creators of the platform begin to smooth out the problems from the next mess in WhatsApp, not even a couple of weeks pass before new problems are found. That is why using the app is like walking a tightrope over an abyss, where a threat to your security can appear at any time.

Security on WhatsApp is ideal for fraudsters and constant surveillance. They act exactly like all backdoors, quietly bypassing standard authentication procedures and remaining invisible.

But in fact, it is not so easy for experts to check for backdoors. The fact is that WhatsApp, unlike other platforms, for example, telegram does not give access to the source code. Also, they not only leave the code secret but on the contrary, they also add fuel to the fire ‒ they deliberately encrypt binary files in the attachment, so that it is almost impossible to find out anything about them.

And it is not yet clear whether WhatsApp will be able to hold them accountable for all illegal actions. This is likely to happen if different companies that have become victims of WhatsApp scammers start contacting the police. And write statements that they refuse to index their numbers and public availability in Google search results. This will certainly reduce the number of coercive procedures and disproportionate fines. At the moment, WhatsApp is under the control of the Irish Data Protection Commission and will soon have to decide on the GDPR. If the decision is positive, it will lead to serious consequences for the entire WhatsApp team. It will suffer a big loss and fines. Since there is already a criminal case regarding the transfer of customer data from Facebook to its subsidiary WhatsApp.