Update, 7:11 p.m. ET: A Meta representative reached out to 9to5Mac and provided the following statement:
“We are grateful to the University of Vienna researchers for their responsible partnership and diligence under our Bug Bounty program. This collaboration successfully identified a novel enumeration technique that surpassed our intended limits, allowing the researchers to scrape basic publicly available information. We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defenses. Importantly, the researchers have securely deleted the data collected as part of the study, and we have found no evidence of malicious actors abusing this vector. As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers.”
A massive WhatsApp security flaw exposed the phone number of almost every user on the planet – despite the fact that parent company Meta had been alerted to the vulnerability way back in 2017.
Security researchers were able to use what they described as a “simple” exploit to extract a total of 3.5 billion phone numbers from the messaging service …
The researchers say that if the same exploit had been used by bad actors, the result would have been “the largest data leak in history.”
The most egregious aspect of the privacy fail is that a different security researcher alerted Meta to the problem more than eight years ago, and in all of that time the company failed to implement the incredibly simple protection measure needed to fix it.
Wired reports.
WhatsApp’s mass adoption stems in part from how easy it is to find a new contact on the messaging platform: Add someone’s phone number, and WhatsApp instantly shows whether they’re on the service, and often their profile picture and name, too. Repeat that same trick a few billion times with every possible phone number, it turns out, and the same feature can also serve as a convenient way to obtain the cell number of virtually every WhatsApp user on earth—along with, in many cases, profile photos and text that identifies each of those users.
A security researcher back in 2017 found that the company provides no limit on the number of phone number checks you can carry out, enabling this kind of attack. Unbelievably, eight years later, a group of Austrian researchers from the University of Vienna were able to exploit the exact same flaw to obtain the phone number of almost every single WhatsApp user.
It took them just half an hour to capture the first 30 million US phone numbers, and after that they just kept going.
... continue reading