A massive WhatsApp security flaw exposed the phone number of almost every user on the planet – despite the fact that parent company Meta had been alerted to the vulnerability way back in 2017.
Security researchers were able to use what they described as a “simple” exploit to extract a total of 3.5 billion phone numbers from the messaging service …
The researchers say that if the same exploit had been used by bad actors, the result would have been “the largest data leak in history.”
The most egregious aspect of the privacy fail is that a different security researcher alerted Meta to the problem more than eight years ago, and in all of that time the company failed to implement the incredibly simple protection measure needed to fix it.
Wired reports.
WhatsApp’s mass adoption stems in part from how easy it is to find a new contact on the messaging platform: Add someone’s phone number, and WhatsApp instantly shows whether they’re on the service, and often their profile picture and name, too. Repeat that same trick a few billion times with every possible phone number, it turns out, and the same feature can also serve as a convenient way to obtain the cell number of virtually every WhatsApp user on earth—along with, in many cases, profile photos and text that identifies each of those users.
A security researcher back in 2017 found that the company provides no limit on the number of phone number checks you can carry out, enabling this kind of attack. Unbelievably, eight years later, a group of Austrian researchers from the University of Vienna were able to exploit the exact same flaw to obtain the phone number of almost every single WhatsApp user.
It took them just half an hour to capture the first 30 million US phone numbers, and after that they just kept going.
“To the best of our knowledge, this marks the most extensive exposure of phone numbers and related user data ever documented,” says Aljosha Judmayer, one of the researchers at the University of Vienna who worked on the study.
The researchers, of course, acted responsibly by deleting the database of phone numbers and alerting Meta. The company took around a further six months to implement a rate-limiting measure to prevent the feature being exploited on this kind of mass scale.
... continue reading