Jayaram found that it was possible to expose phone numbers from Click to Chat by running a search for “site:wa.me”.
In a statement to TechCrunch, a WhatsApp spokesperson said:
“While we appreciate this researcher’s report and value the time that he took to share it with us, it did not qualify for a bounty since it merely contained a search engine index of URLs that WhatsApp users chose to make public. All WhatsApp users, including businesses, can block unwanted messages with the tap of a button.”
The spokesperson went on to say that WhatsApp made a change that stopped web crawlers from indexing the link data, stopping the flaw. The issue arose from the fact people using Click to Chat were unaware that the process made the phone numbers public, which WhatsApp had not made clear enough in the set up process.