Cybersecurity News
Athul

Why are Whatsapp Numbers leaked in a Google Search and users can’t be blamed?

Why are Whatsapp Numbers leaked in a Google Search and users can’t be blamed?

Data Privacy

The phone number is personal data and part of GDPR and violates the privacy laws of the European Union, US, and other countries where data privacy laws exist. For example, numbers with country code +1 belong to the US, and US data privacy may be applicable. Whatsapp being headquartered in the US, US data privacy laws would be more applicable for the application.

The process flow

Step 1. A user publishes such a link http://wa.me<phone_number> in their website or someone tweets such a link containing their mobile number

Step 2. Google Bot if allowed it enters the personal website and crawls all links

Step 3: Google adds a new URL entry pointing directly to the domain http://wa.me in their search results database.

What are the possibilities?

Now assume, the user deletes the link on his website or the tweet. The link will be removed from his website but not from the google search database. this happens because the http://wa.me/<mobile_number> URL is still valid and accessible by the Google bot, so Google search results database will still keep those links and will be searchable in Google search engine and links do not get deleted itself when the user deletes it from his website or tweet. 

Also, note that the Whatsapp did not give the user an option to revoke or delete links for the so-called Web API.

Observe, this finding sees only those links originating from the http://wa.me and do not show links from other websites.

How to fix this?

What WhatsApp could have prevented Google from crawling any links that looks like this https://wa.me/*

This could have ensured by adding a robots.txt in their domain to stop any bots from crawling the website directories and subdirectories and also put a meta no-index tag in those pages which tell all bots including Google to not index the URL’s in its search database.

I would have agreed with them not to fix this if they encrypted those visible mobile numbers in plaintext and allowing the users to revoke the rules. The plaintext mobile numbers increased the impact. Whatsapp users are identified by mobile numbers and there you have those mobile numbers listed in plaintext.

 

Whatsapp can also request to remove all the links from Google using Google Webmaster tools, a free tool where you can remove links from your website and block it from appearing in the search engine. I love the way how Google Search engine works, you know most webmasters use it. Google gives you direct control over what should be accessible over its search engines and what shouldn’t be of your website. When I was a tech blogger, I have used it myself and know it is very simple and easy to use, any user with basic knowledge can manage their site links appearing in Google search using Google Webmaster tools.

Concluding Note

While throughout my time researching cybersecurity as well as my consulting experience at the big four organization, I learned the key principle to not to hand over the security of your website or data to users, it should be always ensured by the organization. If the organization won't, do not expect it from users. Blaming the users won’t make a difference, the organization should take care of that.

I look forward to the day when user data is managed with utmost security, features should be released with security in its core, you may have a billion users but you don’t have me. Even if one user can be made safe, that is a win for me.