WhatsApp had a massive security flaw that put phone numbers of 3.5 billion users at risk
Here is a re-created blog post on the issue, what was exposed, and what users can do.
1. The Core Flaw: The Contact Discovery Exploit
The issue stems from the way WhatsApp's contact discovery tool verifies a phone number's existence on the platform.
The Mechanism: Researchers from the University of Vienna found that they could use this system to check millions of number combinations per hour to see if an account was registered.
The Problem: Crucially, WhatsApp reportedly had no effective rate-limiting or warnings in place to stop this automated, high-volume querying, essentially allowing attackers to automate the contact sync process for every possible global phone number.
This simple flaw could have led to a mass scraping event, which the researchers warn could have been the "largest data leak in history."
2. What Data Was Exposed?
It's important to understand the difference between scraped public data and leaked private data:
Phone Numbers: The researchers managed to identify and confirm approximately 3.5 billion active WhatsApp phone numbers globally.
Public Profile Data: For a significant portion of these accounts, they could also access data visible based on the user's privacy settings:
Profile Photos: Accessible for around 57% of the identified accounts.
"About" Text/Status: Visible for about 29% of the accounts.
What was NOT exposed: User messages, calls, or end-to-end encrypted content. WhatsApp's core message encryption remains secure.
3. WhatsApp's/Meta's Response
WhatsApp (owned by Meta) acknowledged the exploit, confirming the method was a novel enumeration technique that bypassed their existing limits.
They emphasized that the exposed information was considered publicly available data (meaning the phone number, and a public profile photo/status, which users control via privacy settings).
In response to the researchers' findings, Meta has since implemented new rate limits to prevent this type of mass scraping in the future.
4. Actionable Steps for Users
While the main exploit vector has been patched, this incident is a strong reminder to review your privacy settings. The biggest risk from this exposure is the potential for scam and phishing attempts targeting confirmed WhatsApp numbers.
Action How to Do It Why It Helps
Review Privacy Settings Go to Settings > Privacy in WhatsApp. Controls who can see your number, photo, and status, minimizing the public data an attacker can gather.
Set Profile Photo to 'My Contacts' In Settings > Privacy > Profile photo, change the setting from 'Everyone' to 'My contacts' or 'My contacts except...' Prevents unknown attackers from gathering visual data linked to your phone number.
Enable Two-Step Verification (2FA) Go to Settings > Account > Two-step verification and tap TURN ON. Provides an extra layer of security, requiring a 6-digit PIN to set up WhatsApp on a new device.
Be Wary of Phishing/Scams Never respond to unsolicited messages, especially those asking for money, personal info, or a verification code.
No comments:
Post a Comment