Update (9th June 2020): Athul Jayaram got in touch with Digit to highlight his tweet which says "Whatsapp deployed a fix for http://wa.me domain and phone numbers are not searchable anymore. I am glad to know my research stands valid. I do not have any official confirmation from Facebook Security Team." In another tweet, he says, "But did @WhatsApp and @fbsecurity forgot about http://api.whatsapp.com? Will the fix be deployed just like you did for http://wa.me?"
Original story below
According to former cyber risk consultant, Athul Jayaram, WhatsApp numbers of those using “WhatsApp's Click to Chat” feature are popping up on Google search. As first reported by Threatpost, “Click to Chat puts users’ mobile phone numbers at risk — by allowing Google Search to index them for anyone to find”. Let’s understand this in a little detail.
According to the WhatsApp blog, WhatsApp's Click to Chat feature “allows you to begin a chat with someone without having their phone number saved in your phone's address book. As long as you know this person’s phone number and they have an active WhatsApp account, you can create a link that will allow you to start a chat with them. By clicking the link, a chat with the person automatically opens. Click to chat works on both your phone and WhatsApp Web”. It is also possible to create a QR code linking to a WhatsApp number to initiate a chat. This is good for all forms of businesses that want to use the convenience of WhatsApp to chat with their customers without having customers save their numbers.
Well, according to the source, “Jayaram said that those mobile numbers can also turn up in Google Search results because search engines index Click to Chat metadata. The phone numbers are revealed as part of a URL string (https://wa.me/<phone_number>) and so, this in effect “leaks” the mobile phone numbers of WhatsApp users in plaintext, according to the researcher’s view. The “wa.me” domain is owned and maintained by WhatsApp, according to WHOIS records”. It must, however, be noted that Google Search only results in the revealed the phone numbers and “not the identities of users that they were connected to.”
So all the users, that do not use the Click to Chat feature, are safe even if they have chatted with a number using the feature.
Imagine what you could do with a confirmed WhatsApp number? If the number has a person’s profile photo, it is easier to identify who the number belongs to. More importantly, “The researcher maintains that many Click to Chat users are unaware that their phone numbers are being stored in plaintext, indexed by Google Search and discoverable via a relatively simple search query”.
Users told Threatpost that they were unaware that their number was googlable and surprisingly they had received very few spam calls. Being able to Google a small business contact number isn't anything new and has been the way a lot of people find contact details of small business.
In any case, it is one thing for a business to knowingly apply for a feature that lets customers reach them easily and it is entirely another thing to have that number appear through a Google Search.
In a statement, a WhatsApp Spokesperson told digit, “Our Click to Chat feature, which lets users create a URL with their phone number so that anyone can easily message them, is used widely by small and microbusinesses around the world to connect with their customers. While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button.”