Tech

If you use WhatsApp your phone number may be on the open web

Sharing your WhatsApp QR code online could result in your phone number being available via a Google search.

Woman using deaf phone
Shutterstock

WhatsApp launched a new feature earlier this year that lets you add contacts via QR code. Now a security researcher, Athul Jayaram, reports that sharing the links to these QR codes online could result in your phone number being revealed to anyone who cares to look.

Admittedly, this isn't a huge issue, especially if you only use WhatsApp to talk to close friends and family who are likely already in your contacts list. But the Facebook-owned company built itself on prioritizing privacy over money or growth, and leaking the phone numbers of its users isn't exactly keeping them private. You can always block someone on WhatsApp, but your phone number is more personally-identifiable and linked to critical services.

The problem stemmed from Google indexing these pages. The company says it has since stopped doing so following an article on the issue by SlashGear. Prior to the change, though, posting your WhatsApp QR code online could result in Google indexing it, with no easy way for users to remove the results from search. It's possible that WhatsApp added a robots.txt file to its website that tells Google to stop indexing its pages.

Though, WhatsApp should never have made it possible to do this in the first place, especially considering the number of sensitive things most people's phone numbers are linked to. Bad actors could have potentially used phone numbers leaked by WhatsApp to target people with scams, SIM swaps, identity theft, or other forms of fraud.

Maybe just don't share your code willy nilly? — This issue arose because the new QR codes are hosted at the https://wa.me domain, which does not use encryption to hide a user's phone number. Therefore, if you share one of these codes online for others to contact you, anyone will be able to see your phone number because it will be present in the URL. If you share one of these codes on Twitter, for instance, everyone will be able to see your phone number.

It's easy to link a phone number to a specific person from the QR code page because it also includes the user's profile picture (see below). Many people use the same profile image for multiple services, meaning a reverse image search could make it rudimentary to link their number to their name.

If you want to keep your phone number private, you should only share these QR codes through private messages with people whom you trust. Better yet, stick to iMessage, Telegram, or Signal for your messaging and kiss the Facebook-owned WhatsApp goodbye.