Allegedly WhatsApp Data Leak Contains 500 Million Phone Numbers Being Sold Online, What Happened?
Puts on Meta?
How does this happen? Did the “hacker” find some exploit in the application? Maybe some super complicated buffer overflow attack? Nope, they used Google.
Before I start, I’m not accusing Meta of anything at this point since this story is still developing. I’m going to discuss what has allegedly happened.
WhatsApp phone numbers could be searched (apparently for 2 years) due to a feature called click to chat. Click to chat allows users to create chats if a user knows the persons phone number and they have a WhatsApp account.
If the above conditions are true, all one has to do is enter the following URL into a browser:
https://wa.me/<number> # where number is the users phone number
to start a chat.
Unfortunately for Meta, Google automatically visits publicly accessible web pages by web crawling and adds them to the search index.
One might come to the conclusion, Google added all the click to chat links to the search index. Anyone with some Google dorking knowledge could search all of these URLs and collect them. Mental Outlaw on YouTube created a video demonstrating (jump to 4:08 for demo) how to do it.
Note: This issue has been fixed or purged from Google searches. Either way, do not try this. It’s possible that personal data is still available.
Final point, Meta acknowledges that scraping on WhatsApp could get users banned if they’re scraping for personal data.
What did the “Hacker” do?
Most likely after someone discovered this issue, created a script to run Google searches based on the method shown in the video. Maybe extra logic was added to filter out phone numbers. However, figuring out the validity of those phone numbers requires a lengthy investigation.