Facebook ventured to clean up a security vulnerability that has costed the phone numbers data of many Whatsapp users. The vulnerability exposed the phone numbers by using a simple Google search. This loophole has been discovered by an Indian researcher on June 6th; he is disappointed for not getting a bounty for his key finding.
As per the initial discovery posted by Atul Jayram, upon few domains such as https://wa.me and https://api.whatsapp.com, which were indexed to Google. According to this, the users can generate URLs through a new QR code feature for profile sharing. These domains contain the unencrypted phone numbers, to which you can directly post a message through WhatsApp.
Jayram wrote in his blog that Facebook has failed to conduct a proper checking to prevent Google from scraping URLs with the insertion of robot Txt.file. A simple Google search using the URLs: api.whatsapp.com or wa.me accompanied by country code +91 would take you directly to chat portals of different numbers. It took to the Google search result, where there are links directly showing a message to ‘+91 – Xxxxx’ numbers showing hundreds and thousands of numbers.
This also applies the same for other country codes, where phone numbers of other countries are shown in the search. Jayram tried randomly to initiate a chat with random users and halted as it might become an abuse. Soon after Jayram reported this issue, Facebook has taken down wa.me, later on, api.whatsapp.com.
The Indian researcher has contacted Facebook about the bounty for his work in identifying the flaw. He was utterly disappointed by Facebook’s response to denying any bounty for his work. He argued that, with a wide userbase of 2 billion, he expected to get rewarded for patching up a huge security breach. It might be due to this bug identification not been as a part of the bounty program by Facebook, Jayram was not rewarded.