How a simple security flaw exposed 3.5B WhatsApp numbers
What's the story
A group of Austrian researchers have discovered a major security flaw in WhatsApp, the popular messaging app owned by Meta. The researchers were able to use the platform's contact discovery feature to expose 3.5 billion phone numbers and other personal data, including profile pictures and user descriptions. This flaw would have resulted in "the largest data leak in history, had it not been collated as part of a responsibly conducted research study," the researchers said.
Methodology
How the researchers exploited WhatsApp's contact discovery feature
The researchers employed a simple yet effective technique of checking every possible number in WhatsApp's contact discovery. This method allowed them to extract phone numbers from the messaging service. They found that for about 57% of these users, they could also access their profile photos and for another 29%, the text on their profiles. The team was able to check some 100 million numbers an hour through WhatsApp's browser-based app.
Company statement
Meta's response to the data exposure incident
Meta has acknowledged the researchers' findings, which were reported through its "bug bounty" system. The company described the exposed data as "basic publicly available information," noting that profile photos and text weren't exposed for users who opted to make it private. Nitin Gupta, WhatsApp's VP of engineering, said they had already been working on anti-scraping systems and this study was instrumental in stress-testing these defenses.
Privacy issues
Researchers' concerns over WhatsApp's privacy measures
Despite Meta's claims, the researchers said they didn't bypass or even encounter any "defenses" in collecting the phone numbers. They also noted that a significant number of accounts used duplicate keys, which is a security issue as it could allow anyone with the same key to decrypt messages sent to them. The researchers speculated that this key duplication was likely due to unauthorized WhatsApp clients rather than a flaw in WhatsApp itself.
Identifier debate
Concerns over phone numbers as unique identifiers
The researchers also raised concerns over the use of phone numbers as unique identifiers for services with billions of users. They argued that this lack of randomness makes it easy to scrape user data en masse. "If you have a big service that's used by more than a third of the world population and this is the discovery mechanism that's a problem," said Aljosha Judmayer, one of the researchers at University of Vienna who worked on the study.