WhatsApp’s systemic flaw was exploited by a group of researchers to expose around 3.5 billion phone numbers and related account data. As per the study, the researchers took advantage of the fact that the Meta-owned platform does not apply any rate limits on showing profiles on a registered account, letting them process large datasets of possible phone numbers and checking if these numbers belonged to anyone. The researchers said this is the most extensive exposure of phone numbers and associated profile data ever documented, and in the wrong hands, could have led to a major security threat.
Note: WhatsApp reached out to Gadgets 360 with an official statement (shared below), and the headline has been updated to reflect the same.
“We are grateful to the University of Vienna researchers for their responsible partnership and diligence under our Bug Bounty program. This collaboration successfully identified a novel enumeration technique that surpassed our intended limits, allowing the researchers to scrape basic publicly available information. We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defences. Importantly, the researchers have securely deleted the data collected as part of the study, and we have found no evidence of malicious actors abusing this vector. As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers.” – Nitin Gupta, VP of Engineering at WhatsApp
Researchers Reveal 3.5 Billion WhatsApp Accounts
A team of researchers at the University of Vienna and SBA Research has uncovered a vulnerability in WhatsApp’s contact-discovery system that enabled the enumeration of around 3.5 billion phone numbers and associated profile data. The research paper was published on GitHub and details their method, highlighting a critical security flaw in WhatsApp’s system.
The method exploited the fact that WhatsApp allows users to upload a phone book and quickly see which contacts already have accounts. The researchers automated the process by systematically inserting large sets of possible phone numbers and recording whether each number was registered. Because the system did not enforce effective rate-limiting, they were able to check tens of millions of numbers per hour.
Their analysis shows that for many of the discovered numbers, additional public metadata was available. Specifically, about 57 percent of the accounts had profile photos that were visible to “everyone,” and roughly 29 percent included text in the “About” field of the profile.
Interestingly, researchers also identified millions of accounts in countries where WhatsApp is banned. They found 2.3 million accounts in China, 1.6 million accounts in Myanmar, and about 60 million accounts in Iran by using phone-number ranges for those countries. “Phone numbers were not designed to be used as secret identifiers for accounts, but that’s how they’re used in practice,” a researcher was quoted as saying by Wired.
According to Wired, the researchers reached out to Meta to highlight the enumeration problem, which was then fixed by the company in October. Meta reportedly stated that the exposed information was “basic publicly available information” and that no message content or private data was accessed.
