A significant security flaw was discovered in WhatsApp’s “Click to Chat” feature, which resulted in the mobile phone numbers of users being indexed by search engines and made publicly discoverable. The issue was identified and reported by security researcher Athul Jayaram. The flaw created a mechanism that allowed for the enumeration of phone numbers registered to the platform.

How the ‘Click to Chat’ Flaw Worked

The “Click to Chat” feature generates a URL shortcut using the format wa.me/<phone_number> to allow users to start a chat without saving a contact. The vulnerability existed because these URLs, which contain the user’s raw phone number, were being crawled and indexed by search engines like Google. As a result, anyone could perform a search query such as site:wa.me to find indexed WhatsApp user phone numbers. At the time of his report, Jayaram found approximately 300,000 user phone numbers exposed in search results.

WhatsApp’s Official Response

After Jayaram reported the issue to Facebook’s bug bounty program, the company responded that the search engine indexing was an intentional result of users choosing to make their information public. WhatsApp stated that a 2019 update to the feature included a “noindex” tag to prevent these pages from being indexed. However, the researcher noted that this tag does not retroactively remove URLs that had already been indexed by search engines. Facebook ultimately closed the bug report, deeming it ineligible for a bounty.