Your phone number may be searchable in Google results — but it's actually WhatsApp's fault.
Security researcher Athul Jayaram contacted the security-news site Threatpost (opens in new tab) last week to report that he did a site-specific Google search for numbers on a WhatsApp-owned domain and thousands of phone numbers popped up.
- Best encrypted messaging apps
- WhatsApp is getting one of its biggest upgrades yet
- Just In: Google Meet upgrade is a real Zoom killer
"Your mobile number is visible in plain text in this URL, and anyone who gets hold of the URL can know your mobile number," Jayaram told Threatpost. "As individual phone numbers are leaked, an attacker can message them, call them, sell their phone numbers to marketers, spammers, scammers."
That is true. So is having your number listed in a phone book, if you're old enough to remember those.
The WhatsApp domain, "wa.me", was created as part of WhatsApp's Click to Chat feature. Click to Chat lets businesses or individuals put links on their websites so that people (mostly potential customers) can easily send them WhatsApp chat messages through mobile apps or WhatsApp's own desktop software.
"My phone number is public on the web. No need to implicate WhatsApp," one person whose number came up in the Google search results told Threatpost. However, another said that "I set up WhatsApp for my business so people should text directly without getting my number."
Because the links include phone numbers -- they look like "https://wa.me/1XXXXXXXXXX" -- the numbers get noticed and listed by Google's search spiders.
Jayaram recommends that WhatsApp add a "robot.txt" file to the "wa.me" domain and the related "api.whatsapp.com" domain to prevent them from being indexed.
Jayaram told Threatpost that he contacted Facebook about this issue and tried to collect a bug bounty, but was turned away.
A WhatsApp spokesperson told Threatpost that the issue didn't qualify for a bug bounty because "it merely contained a search engine index of URLs that WhatsApp users chose to make public."
How to use Google to find your WhatsApp number
We figured out Jayaram's method and got, yep, mostly businesses. If this indeed creates a phone book, it's more like an incomplete Yellow Pages than a full White Pages.
The method is simple. Google lets you narrow searches to specific domains, in this case "wa.me".
So you can type "site:wa.me" into a Google search field or the Chrome address bar, and you'll get a long list of results that look like "Message +1 234 567 8901 on WhatsApp". Click a result, and you'll open a chat session with that WhatsApp account.
You can modify the search string to narrow it down to specific country codes and even area codes. So "site:wa.me +1 212" gets you all the Click to Chat links that include the Manhattan area code.
We got only three results for that search, because New York City mobile numbers were for many years relegated to the 917 area code. Searching "site:wa.me +1 917" got only 29 results, not all of which were actual New York City numbers.
And we searched for our own mobile number. We got nothing. You can do the same by adding your own number, including the country code, to the "site:wa.me" Google search string.
What to do if your number comes up
If your number does indeed pop up, then ask whether you're OK with having it public. Many businesses would want their numbers to be.
If not, then contact WhatsApp (opens in new tab) to see if it can be removed from wa.me. If you are fine with the arrangement, then make sure that number is not connected to any other account as a password-recovery verification number or a receiver for two-factor-authentication SMS codes.