Of the lesser-known WhatsApp features, ‘Click to Chat’ allows you to start a chat with someone without having their phone number saved on your mobile. If you know the number of a person and they have an active WhatsApp account, you can create a link that will allow you to start a chat with that person. When you click on the link, the chat with that person will open automatically.
WhatsApp’s click-to-chat feature
This function is available both on the phone and on WhatsApp Web. And right now it’s creating problems for Facebook, since has caused a security breach that is exposing the phone numbers of hundreds of thousands of users: According to Athul Jayaram, researcher from India and ‘hunter-bugs’ of programs, using this WhatsApp function can cause your phone number appears in Google’s public search results, opening the door to all kinds of scams and cyber attacks.
But how is it possible that WhatsApp, so concerned about security using end-to-end encryption, is doing this? These phone numbers are being exposed by the domain “wa.me” owned by WhatsApp, which stores Click to Chat metadata in a URL string (for example https://wa.me/ According to Jayaram, “your mobile number is visible in plain text at this URL, and anyone who takes the URL can know your mobile number.” This is something that “cannot be revoked. As numbers are filtered out of individual phones, an attacker can send messages, call them, sell their phone numbers to vendors, spammers and scammers. “
The researcher began to track the domain through Google, theoretically discovering up to a total of 300,000 WhatsApp numbers that were available to anyone on Google. The worst thing is that although the full user name does not appear on the website that shows them, you can see the photo of their profile -if they have one-, which is perhaps even worse.
Of course, Jayaram immediately notified Facebook – owner of WhatsApp-, to account for her finding. And unexpectedly WhatsApp rejected their request because “WhatsApp users have full supervision of the information attached to their profile that is made available to the public.” According to a spokesperson for the app:
“Although we appreciate this researcher’s report and appreciate the time it took to share it with us, it was not eligible for a reward, as it simply contained a search engine index of the URLs that WhatsApp users chose to make public. . All WhatsApp users, including companies, can block unwanted messages with the push of a button. “
Using the Jayaram search string, when searching ‘Site: wa.me“ + ” in Google we see that it throws 35,900 results -a figure far from the 300,000 that the researcher indicates, but equally high. Repeating that search with this string, site: wa.me “+34”, we see that there are 1,350 numbers. And it is precisely the ‘+34’ is the prefix of Spain, so those 1,350 numbers are filtered Spanish WhatsApp phones and available to anyone on Google. And although there are several belonging to companies and others are erotic in content, there are also personal ones.
How do you know if your number is among them? Use this search string:
‘Site: wa.me“ +34 xxx xx xx xx ”
And replace the X with your mobile number. If it does not return any results, then you can rest easy, it has not been filtered. And, although you have never used Click to chat, it is worth checking it out just in case.
