EXCITING NEWS: TNG WhatsApp Channel is LIVE…
Subscribe for FREE to get LIVE NEWS UPDATE. Click here to subscribe!
A bug-bounty hunter known as Athul Jayaram has uncovered how using a WhatsApp feature could leave you vulnerable to all manner of scams and cyber attacks.
The WhatsApp feature known as click to chat allows anyone to click on a WhatsApp-owned programmatic “wa.me” domain, which takes them directly to WhatsApp to chat with you.
The domain stores click to chat metadata in a URL string. For instance, if you click on this link https://wa.me/2348052317264, it will take you to WhatsApp to chat with me.
But, that is not the issue. The issue is that your mobile number is visible in plain text in this URL, and anyone who gets hold of the URL can know your mobile number. Plus, Google is indexing the phone, meaning it’s visible in Search.
Messaging platform WhatsApp is renowned for its high data privacy standards, offering end-to-end encryption to all users. However, this latest discovery suggests personal data may not be as private as users might like to think.
Scouring the domain via Google searches, Jayaram reportedly uncovered 300,000 WhatsApp numbers made public via this mechanism.
“As individual phone numbers are leaked, an attacker can message them, call them, sell their phone numbers to marketers, spammers and scammers,” he stated.
However, when contacted, WhatsApp dismissed the vulnerability on the grounds that users have full oversight of the information attached to their profile that is made available to the public.
A WhatsApp spokesperson was quoted to have said the vulnerability “merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button”.
Meanwhile, the bug-bounty hunter believes that WhatsApp should take the disclosure more seriously, due to the scope of attacks the issue could facilitate.
“Today, your mobile number is linked to your Bitcoin wallets, Adhaar, bank accounts, UPI, credit cards…[allowing] an attacker to perform SIM card swapping and cloning attacks is another possibility,” he said.