As we explained a few days ago, the reason for this bug is the Click to Chat function which allows users to send messages on the messaging application even to contacts who are not registered in the address book. To do this you need to create a URL following this example: “https://wa.me/numeroditelefono“. The computer researcher has discovered that the metadata of the wa.me site is automatically indexed by Google, including the telephone number which in this way can be viewed by everyone. Although the expert’s report occurred in May, WhatsApp did not consider the problem a serious bug and did not intervene at first. But after the articles from all the online magazines, the developers decided to take countermeasures.
WhatsApp, because the numbers were visible on Google
Some have called it a bug, others a simple oversight. But the problem was real, as evidenced by the rapid intervention to bring everything back to normal. It is not the first time that Whatsapp ends up under the eye of the hurricane for some user data that ended up on search engines. Already last February, the Motherboard site had discovered thousands of WhatsApp groups present on Google: any user could access and read the messages exchanged.
In this case, however, the cause of the problem is the Click to Chat function, used by many websites (especially e-commerce) to facilitate the sending of messages by users. By clicking on a button, you can send messages to customer support without registering the number. This involves, however, the creation of a URL that is indexed by Google, including telephone contact. It was enough to make one simple search on the search engine, to find a phone number, save the contact image, use it for a reverse search and find the person’s name. Name that could be used for scams or phishing campaigns.
How the problem was solved
Although initially Whatsapp tried to defend himself by saying that the search engine indexes only the URLs (and therefore the telephone numbers) of the people who have decided to make them public, within a few hours has decided to de-index the domain from the search engines “wa.me“. In this way, similar cases will not be repeated in the future.