Jump to content

WhatsApp Is Leaking User Phone Numbers In Google Searches And Customizable Verification Codes


zanderthunder
 Share

Recommended Posts

zanderthunder

whatsapp facebook apps

 

The crazy train that is WhatsApp right now does not look like it will be stopping any time soon. After the privacy policy fiasco, which is still developing, other issues have popped up simultaneously. It appears that Google is indexing a WhatsApp subdomain that can share users’ phone numbers. Furthermore, there are also other issues with WhatsApp that scammers can use to social engineer people, as we are just now learning. This is an absolute nightmare for privacy and security again, and should concern every WhatsApp user at present.


Last year, WhatsApp had chat invite links indexed on Google, meaning they were searchable by anyone who knew what to look for. The search techniques could be adapted to then extrapolate more phone numbers from the WhatsApp platform. Now, this is happening again but on a different WhatsApp subdomain, web.whatsapp.com. With a simple Google search using patterns, search terms, and tricks, anyone can find a phone number from web.whatsapp.com. This was found by security researcher Rajshekhar Rajaharia who tweeted out his findings shown below.

 

 

When we reached out for comment, we also learned more about his findings. It seems that WhatsApp has a text file in place which should stop Google from indexing its websites, but that does not appear to be working. Clearly, however, WhatsApp is not monitoring its subdomains either, which is another issue in and of itself.

 

Furthermore, while publicly available phone numbers are bad, it gets worse. Rajaharia reported on a website from WhatsApp that spews verification codes that are customizable by whoever visits the website. When you pair the leaked phone number with a fake verification code, scammers can act like WhatsApp employees by texting a link to users and then reading the verification code to the customers as if they see it in the backend. Evidently, this is an issue in India, but it could spread to more technically illiterate users globally.

 

whatsapp verification rendered

 

You can try this out for yourself here: https://v.whatsapp.com/123456?s=1

 

  whatsapp business verification rendered

 

Business customers can also be affected: https://b.whatsapp.com/123456?s=1

 

Overall, users need to be worried about their safety and privacy on the WhatsApp platform. WhatsApp should have learned the first time this happened in 2020 and improved, but that is not the case. Perhaps that is why so many people are flocking to rival Signal at the moment...
 
Edited by zanderthunder
Fixed formatting
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...