Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Cybersecurity researcher claims WhatsApp privacy issue made users’ phone numbers searchable in plain text on Google

Cybersecurity researcher claims WhatsApp privacy issue made users’ phone numbers searchable in plain text on Google

An independent cybersecurity researcher, Athul Jayaram, has revealed that due to a privacy issue, WhatsApp numbers of users from the US, UK, India and many other countries have been leaked and are available on the open web in plain text.

Jayaram revealed this in a post on MediumHe claims that around 29,000-3,00,000 WhatsApp user’s mobile numbers are now accessible in plain text to any internet user. Cybersecurity researcher claims WhatsApp privacy issue made users phone numbers searchable in plain text on Google

Image: Reuters

He explains that WhatsApp offers a Click to Chat feature that lets users create a link that can be shared anywhere like Twitter and just by clicking at that link, anyone can contact them on WhatsApp. Because of the privacy loophole, the feature was reportedly putting phone numbers of users at a risk by allowing Google Search to index the links. As a consequence, these phone numbers can show up in Google Search.

He says anyone including cybercriminals, fraudsters, and marketing executives can get a hold of these numbers by putting a simple Google Search query:<+country code>. They can even look at your WhatsApp display picture and status if you have made them public.Image: Medium

Image: Medium

We reached out to WhatsApp to learn more about the security issue. A company spokesperson said, “Our Click to Chat feature, which lets users create a URL with their phone number so that anyone can easily message them, is used widely by small and microbusinesses around the world to connect with their customers. While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button.”

How can this be avoided?

Meanwhile, Jayaram also offered a solution to the issue.

“This privacy issue could have been avoided if WhatsApp encrypted the user mobile numbers as well as by adding a robots.txt file disallowing the bots from crawling their domain and a meta noindex tag on the pages, unfortunately, they did not do that yet and your privacy may be at stake.”

Google’s indexing of WhatsApp numbers raises privacy concerns

Google is indexing the phone numbers used on WhatsApp, and a researcher is concerned that it could cause privacy issues or be used for malicious purposes.

Earlier this year, Bleeping Computer reported how invite links to private groups of messaging apps like WhatsApp and Telegram were visible on Google, letting anyone join the groups.

This week, security researcher Athul Jayaram highlighted an issue with WhatsApp’s “” domain “leaking” contact phone numbers on Google.

The ‘’ domain is owned by WhatsApp and is used to host ‘lick to chat‘ links that “allows you to begin a chat with someone without having their phone number saved in your phone’s address book.”

WhatsApp phone numbers indexed in Google

As stated by Jayaram and confirmed by BleepingComputer, there is no “robots.txt” file on “” or “” domains that instructs search engines not to crawl phone numbers on the website.

As a result, the links which start with “” get indexed by Google and other search engines and appear in search results.

“As individual phone numbers are leaked, an attacker can message them, call them, sell their phone numbers to marketers, spammers, scammers,” Jayaram told Threatpost, who broke the story.

When clicked, these links redirect to an “” page enabling a user to “continue chat” with the WhatsApp user.

While this could be a potential privacy issue, especially if spammers can get their hands on legitimate WhatsApp numbers being indexed by Google and text you directly on WhatsApp, this isn’t necessarily a bug. 

As a test, I created the fake link using a fake phone number.

As you can see below, this redirected me to the link, as shown below. This link showed the same landing page, giving off the impression as if the number was a valid WhatsApp contact, even when it wasn’t.

Fake WhatsApp click to chat link

This means spammers can’t simply exploit this feature to “enumerate” legitimate WhatsApp numbers.

Perhaps it is for that reason that Facebook had rejected the bug bounty report filed by Jayaram on the issue:

“While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button,” Jayaram told Threatpost.

Additionally, it is worth noting that entire directories of legitimate phone numbers, regardless of whether they have had a WhatsApp/Telegram account, are posted on the web.

This practice has been going on for decades-long before messaging apps even existed and allowed Google to index the numbers.

Phone number directories indexed in Google

Therefore, publishing a mere phone number on the web does not automatically link to personally identifiable information or passwords.

Jayaram still feels that the public indexing of phone numbers can be a security risk or privacy risk, as so many of our online services are tied to our phone numbers.

The researcher recommends that WhatsApp use a robots.txt file in their domains, preventing Google from crawling these results, and also to encrypt user’s mobile numbers. 

“Unfortunately they did not do that yet, and your privacy may be at stake,” he said. “Today, your mobile number is linked to your Bitcoin wallets, Adhaar, bank accounts, UPI, credit cards…[allowing] an attacker to perform SIM card swapping and cloning attacks by knowing your mobile number is another possibility,” Jayaram stated.

It is not entirely clear what is meant by “encrypting” mobile numbers in this context, but it could be to obfuscate the numbers with randomized strings, such as this one URL, which redirects to BleepingComputer.

Unfortunately, at this time, WhatsApp does not provide a way to make your phone number private.

Those who are concerned about it being indexed should get a virtual phone number from Google Voice or another similar service.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us