Your phone number may be searchable in Google search results.

Security researcher Athul Jayaram reported to security news site Threatpost last week that a site-specific Google search on a domain owned by WhatsApp showed thousands of phone numbers.

"This URL shows your cell phone number in plain text, and anyone who gets this URL can get your cell phone number," Jayaram told Threatpost.

"Once an individual phone number is leaked, an attacker can message that person, call them, or sell their phone number to marketers, spammers, or scammers.

That's right. Same goes for having your number listed in the phone book, if you're old enough to remember the phone book.

WhatsApp's domain "wa.me" was created as part of WhatsApp's Click to Chat feature; Click to Chat places a link on a business or personal website, making it easy from the mobile app or WhatsApp desktop software WhatsApp chat messages to be sent from the mobile app or WhatsApp desktop software.

"My phone number is public on the web; there is no need to involve WhatsApp," one person whose phone number appeared in Google search results told Threatpost. However, another said, "I set up WhatsApp for business, so people should be able to text me directly without knowing my phone number."

Because the link contains a phone number ("https://wa.me/1XXXXXXXXXX"」のように見える）、グーグルの検索スパイダーがその番号に気づき、リストアップする。

Jayaram added a "robot.txt" file to the "api.whatsapp.com" domain associated with the "wa.me" domain to prevent WhatsApp from being indexed. It is recommended that this be done.

Jayaram told Threatpost that he contacted Facebook about the issue and tried to collect a bug bounty, but was turned away.

A WhatsApp spokesperson told Threatpost that the issue is not eligible for a bug bounty because it "only involves search engine indexing of URLs that WhatsApp users choose to publish."

We tracked down Jayaram's methods and found that most of them were corporate. If this is indeed creating a phone book, it seems more like an incomplete yellow page than a complete white page.

The method is simple. Google allows you to narrow your search to a specific domain (in this case, "wa.me").

So, if you type "site:wa.me" into Google's search field or Chrome's address bar, you will see a long list of search results such as "WhatsApp messages +1 234 567 8901". Clicking on a result will initiate a chat session with that WhatsApp account.

You can change the search string to narrow it down to a specific country code or area code. For example, typing "site:wa.me +1 212" will display Click to Chat links that include Manhattan area codes.

Because New York City cell phone numbers have long been limited to the 917 area code, this search yielded only three hits; a search for "site:wa.me+1.917" yielded only 29 hits.

We then tried searching for our own cell phone number. We got nothing; adding our own number, including country code, to the Google search string for "site:wa.me" did the same thing.

If your number really pops up, ask if you can make it public. Many businesses want their numbers to be public.

If not, contact WhatsApp and see if you can have it removed from wa.me. If there is no problem with publishing the number, make sure the number is not connected to another account as a recipient of a password recovery verification number or two-factor authentication SMS code.