A Simple WhatsApp Security Flaw Exposed 3.5 Billion Phone Numbers (wired.com) 34
Researchers at the University of Vienna extracted phone numbers for 3.5 billion WhatsApp users by systematically checking every possible number through the messaging service's contact discovery feature. The technique yielded profile photos for 57% of those accounts and profile text for 29 percent. The researchers checked roughly 100 million numbers per hour using WhatsApp's browser-based app.
The team warned Meta in April and deleted their data. The company implemented stricter rate-limiting by October to prevent such mass enumeration. Meta called the exposed information "basic publicly available information" and said it found no evidence of malicious exploitation. The vulnerability had been identified before. In 2017, Dutch researcher Loran Kloeze published a blog post detailing the same enumeration technique. Meta responded then that WhatsApp's privacy settings were functioning as designed and denied him a bug bounty reward. The researchers collected 137 million U.S. phone numbers. In India, they found nearly 750 million numbers. They also discovered 2.3 million Chinese numbers and 1.6 million Myanmar numbers, despite WhatsApp being banned in both countries. The researchers analyzed the cryptographic keys and found some accounts used duplicate keys. They speculate this resulted from unauthorized WhatsApp clients rather than a platform flaw.
The team warned Meta in April and deleted their data. The company implemented stricter rate-limiting by October to prevent such mass enumeration. Meta called the exposed information "basic publicly available information" and said it found no evidence of malicious exploitation. The vulnerability had been identified before. In 2017, Dutch researcher Loran Kloeze published a blog post detailing the same enumeration technique. Meta responded then that WhatsApp's privacy settings were functioning as designed and denied him a bug bounty reward. The researchers collected 137 million U.S. phone numbers. In India, they found nearly 750 million numbers. They also discovered 2.3 million Chinese numbers and 1.6 million Myanmar numbers, despite WhatsApp being banned in both countries. The researchers analyzed the cryptographic keys and found some accounts used duplicate keys. They speculate this resulted from unauthorized WhatsApp clients rather than a platform flaw.
Assumption of Laziness (Score:5, Funny)
This is the case of security through "come on, nobody would ever waste their time doing that."
That said, remember phone books?
Re:Assumption of Laziness (Score:5, Informative)
Re:Assumption of Laziness (Score:5, Informative)
For a FEE.
You had to pay a fee to have an unlisted number.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
When I was asked how I wanted my name to appear in the phone book, I gave a different name.
Resulted in getting lots of humourous wrong numbers. Free entertainment!
Re: (Score:2)
There will always be a few crazies, but the reality is the overwhelming supermajority of details in the phonebook were 100% accurate and available.
Public data being public is now a security flaw? (Score:2)
I mean probably Meta/Facebook/Whatsapp itself might not be happy if with themselves if they don't like people crawling and gathering this data, but it's not something that can easily be prevented. There are SIM farms that have 100k + 200k SIM cards, and that's only what law enforcement caught in one case in one place https://www.cbsnews.com/news/f... [cbsnews.com] . Also, most people are directly concerned with people they know, and they should know better that if they put "I want to hurt my boss, XXX YYY" or a picture w
Re: (Score:2)
The only way to prevent this was to have enough bits in the account definition, but that isn't the case with phone numbers, plus most are taken and most do have WhatsApp so the attacker won't waste orders of magnitude more efforts to span the whole possible space. What's more if one needs this information for any nefarious or semi-nefarious purposes from spam to political whatever they usually care only about local users, be it from Canada or from Quatar (for example), they don't need to brute force billion
Numbers but not names ? (Score:1)
Re: (Score:2)
They TRIED numbers and sometimes got pictures or status or whatever else people might have set to be visible for everyone (I think only the "hey there I'm using Whatsapp" thing is public by default).
Meta ffs (Score:5, Informative)
Meta called the exposed information "basic publicly available information"
Uhm, what it's called by everyone else in the tech industry is "personally identifiable information" or PII.
And the security rules around PII is that it should not be exposed under any circumstances to anyone not authorized by the Person in question to view it.
Basically publicly available for fox snakes.
Re: (Score:1)
Also my cell phone number I use for WhatApps is not publicly available, not listed so how does that fit into their thinking?
Re: (Score:2)
But it is!
Anyone on the planet can dial your number and connect a call to you.
What may not be "publicly available" is the association of your name with your number, but the number itself can be dialed by anyone.
Re: (Score:1)
Re: (Score:1)
"Vulnerability" here is that it could be publicly accessed.
So yeah. This is a feature, not a "vulnerability".
Re: (Score:2)
Huh? This is literally your public WhatsApp profile (if you want it public in the first place). It's like https://www.facebook.com/Crist... [facebook.com] complaining OMG everyone can see the picture that I'm showing there and I set to be visible to everyone, and the name even if I didn't give it to anyone someone figured out ..../Cristiano/... is a likely page and got my picture !
Re: (Score:2)
Things businesses have to hide from unauthorized access or making public accidentally:
Direct Identifiers
Name
Address
Social Security number (SSN)
Other identifying number or code
Phone number
Email address
Indirect Identifiers
Gender
Race
Birthdate
Geographic indicators
We can't even log these identifiers together internally. If we see First Name, Last Name, Phone Number in HTTP access logs and they're not replaced by ***** characters, we have to fix that right now.
Re: (Score:2)
Things businesses have to hide from unauthorized access or making public accidentally:
Businesses only need to hide it if they are the data controller or the data processor engaged in confidence. YOUR PUBLIC PROFILE IS NOT THIS. *YOU* chose not to hide it. It is clearly mentioned that your profile is available and shared with others. It's your choice not to include a photo or your name in it.
Re: (Score:2)
Uhm, what it's called by everyone else in the tech industry is "personally identifiable information" or PII.
Whether it's personal or not is irrelevant. It is published, by you. When you setup WhatsApp you're explicitly told it'll be available for other's to see. You've explicitly authorised people to view it.
Your name is considered personal information when you enter an agreement to share it in confidence. That's not what happens in public profiles. In other news Phonebooks used to exist, vast databases printed out and delivered to everyone in the city containing the PII of everyone else.
War dialing (Score:4, Interesting)
Reminds me of war dialing, looking for modems to connect to a network.
Re: (Score:2)
This reminds me of Home Alone voicemail, except worse, just setting the message to "We're the McCallisters and will be in Paris for the holidays" but for a modern experience doing it on Meta's platform and then of course complain it's someone else's fault for the info getting public.
Whatsapp is forbidden in some countries (Score:2)
... so if the police of these countries gets their hand on this data they could sanction people with phone numbers from these countries.
So, this is not "just phone numbers and pictures" but could result in serious consequences for some people.
Also they found some drug dealers advertising their portfolio in their account description. This is a case where the police should actually try to "hack" Meta.
Re: (Score:1)
This is daft. Any criminal advertising their criminality on their PUBLIC PROFILE is asking for it.
Re: (Score:2)
It's daft on multiple layers, first these countries surely could get directly a list with the verification SMSes from the provider and won't have to go only for the subset of people that have a "Hey there! I am using Whatsapp" status and it's public for anyone to see (especially if this is a thing that carries heavy penalties).
Re: (Score:2)
Hashing phone numbers does not provide security against enumeration.
While the enumeration of accounts is not impossible for Signal[^1], I'm unaware of any reports about profile pics and profile descriptions being leaked during the enumeration, as we find in this WhatsApp example.
IE: the full impact of this issue is not possible on Signal (AFAICT).
[^1] They did it back in 2020: https://www.privateinternetacc... [privateint...access.com]
"basic publicly available information" (Score:2)
Don't use your REAL phone-number, too risky (Score:2)
Buy an empty prepaid sim-card, put it in, create the WhatsApp account and put the 'normal' one back in.
Same way one does it for tablets.
Re: (Score:2)
This is will only make all the people that know you not able to contact you (well, you might consider that a feature, but let's say this isn't what you're going for). First you'll have to contact each of them and go through the whole "who are you?" dance, that is if you don't fall into one of the many options that makes them ignore unknown numbers in the first place, and even if they see your chat or call don't take one of the other deny/ignore/report whatever option, especially after the scary "be careful
Phone numbers used to be public... (Score:1)
Link to paper (Score:2)
Here it is: https://github.com/sbaresearch... [github.com]