WhatsApp users’ personal data was in danger of leakage, said an IB researcher from India. According to him, the new “Click to Chat” function is to blame. The uses of which leads to the indexing of phone numbers of users on Google, and, as a result, to their appearance in the search results.
“Your WhatsApp phone number may be leaked to the Internet, and the authorities will not doubt it, do you?”. This is how the publication of cybersecurity researchers from Atul Jayaram in India began in a media forum.
According to Jarayama, he discovered an unpleasant loophole in a popular Messenger. Users from the United States, Britain, India. And almost all other countries in the world have suffered from it.
It turns out that the number of WhatsApp users can be found on the public domain network, and it is not even necessary to delve into the dark web-we are talking about Google search results.
The vulnerability is in the “click to chat” function, which allows you to have a conversation with WhatsApp users by scanning QR codes. Each account is assigned a unique code. Which is a link in the form of https://wa.me/ in the form of decryption. At the end of the link is the user’s phone number that is not hidden or encrypted.
For example, you can share this link on Twitter so that your friends can quickly chat with you. However, after posting the link once on the social network, Google and other search engines began to index it and display it as output. Moreover, deleting the link will no longer help if it reaches Google, then it will stay there.
Jayaram said he found about 300,000 phone numbers from WhatsApp in Google’s search results.
Given that attackers can take over these numbers. You need to be prepared to receive calls and messages from potential spammers or advertisers. According to the researchers who discovered the vulnerability. The most reliable solution is to delete the account and assign a new phone number.
Atul Jayaram believes that WhatsApp can avoid this problem by encrypting the user’s phone number instead of storing it as plain text.
In March this year, information security experts had accused the messenger of storing personal data in unencrypted form.
Then, the researcher’s request aimed to implement two-factor authentication. In which the device owner himself chose a six-digit PIN code to enhance security.
As discovered by IB experts, this PIN is stored in Messenger’s “sandbox” in an unencrypted form-this area is not accessible by default by other applications. Nonetheless, there are many exceptions when you can still enter the “sandbox” and find out the user password. Therefore, iPhones with jailbreak check functions are vulnerable to attack, and attackers must physically access them. In addition, if the owner has root permissions and can provide him with a wide range of super administrator functions, the PIN code can be found on the Android-based gadget.