Facebook went on a whack-a-mole expedition patching a security vulnerability that exposed thousands of WhatsApp users' phone numbers with a fairly simple Google search. The Indian researcher who found this loophole is also crying foul for not being able to receive a bounty for his bug find.
In a Medium post on June 6, Athul Jayarum published his initial discoveries on a few domains that were indexed into Google search: https://wa.me and https://api.whatsapp.com. Users are able to generate URLs — for beta users at the moment, it can be through new profile-sharing QR codes — on top of these domains containing their unencrypted phone numbers as subdirectories to share with friends — those friends can click on it and immediately start chatting with the user on WhatsApp.
In addition to that questionable aspect, Javarum wrote that Facebook failed to do due diligence in preventing Google from scraping the URLs by inserting a robots.txt file in the server root or at least including noindex meta tags on the individual pages.
A Google search using the site: function for api.whatsapp.com or wa.me along with a country code (formatted as +1 for the U.S. or +91 for India, for example) pulls up a whole bunch of these direct WhatsApp chat portals. Presumably, there have to be at least some entries for just about every country code out there, so while each country generates hundreds of results, they stack up in very short order. Jayaram was able to connect and chat with a random sample of users. But, as we've reported on, the potentials for abuse go farther than that.
Facebook initially only took wa.me off the indices before later taking down api.whatsapp.com.
Jayaram had contacted Facebook to see if the company would offer a bounty for finding a data abuse bug in WhatsApp, but was disappointed when it responded that it would not per its policy exceptions. With a user base of over 2 billion, the researcher argues that he should be rewarded for pointing out such a glaring chasm.
- Source:
- Medium