WhatsApp Click to Chat Feature Exposes User Phone Numbers to Google Indexing

Security researcher Athul Jayaram has raised concerns about a potential privacy risk in WhatsApp’s Click to Chat feature. According to Jayaram, this feature allows Google to index users’ phone numbers, making them easily searchable through the search engine.

How Click to Chat Works

Click to Chat enables websites to quickly start a WhatsApp conversation with their visitors. The feature works by assigning a QR code to the website owner’s phone number. Visitors simply scan the QR code or click on a URL, which initiates a WhatsApp chat. There’s no need to manually enter a phone number, but once the chat begins, the user still has access to the number.

The Privacy Issue

Jayaram explains that the problem arises because these phone numbers are included in the metadata that Google indexes. The phone number appears in the URL string (for example, https://wa.me/), which leads to its exposure. As a result, spammers can easily compile databases of valid phone numbers and use them for their campaigns. The researcher found around 300,000 phone numbers indexed by Google in this way.

Potential for Abuse

Although the phone numbers are not directly linked to the owners’ names, attackers can still identify the owners. Clicking on a phone number URL in Google search results opens the user’s WhatsApp profile, often displaying their photo. Malicious actors can use reverse image search and other methods to gather more information about potential victims.

WhatsApp’s Response

Jayaram reported his findings to WhatsApp, but the company declined to treat it as a vulnerability. WhatsApp stated that users have chosen to make their phone numbers public by using the Click to Chat feature.