Feed: Slashdot
Feed Link: https://slashdot.org/
---

Title: A Simple WhatsApp Security Flaw Exposed 3.5 Billion Phone Numbers

Link: https://yro.slashdot.org/story/25/11/18/14592...

Researchers at the University of Vienna extracted phone numbers for 3.5
billion WhatsApp users by systematically checking every possible number
through the messaging service's contact discovery feature. The technique
yielded profile photos for 57% of those accounts and profile text for 29
percent. The researchers checked roughly 100 million numbers per hour using
WhatsApp's browser-based app. The team warned Meta in April and deleted their
data. The company implemented stricter rate-limiting by October to prevent
such mass enumeration. Meta called the exposed information "basic publicly
available information" and said it found no evidence of malicious
exploitation. The vulnerability had been identified before. In 2017, Dutch
researcher Loran Kloeze published a blog post detailing the same enumeration
technique. Meta responded then that WhatsApp's privacy settings were
functioning as designed and denied him a bug bounty reward. The researchers
collected 137 million U.S. phone numbers. In India, they found nearly 750
million numbers. They also discovered 2.3 million Chinese numbers and 1.6
million Myanmar numbers, despite WhatsApp being banned in both countries. The
researchers analyzed the cryptographic keys and found some accounts used
duplicate keys. They speculate this resulted from unauthorized WhatsApp
clients rather than a platform flaw.

Read more of this story at Slashdot.

---
VRSS v2.1.180528