Caption – (Photo by Dima Solomin on Unsplash)
WhatsApp recently faced a major privacy concern after security researchers uncovered a flaw. It seems that an internal flaw in the Meta-owned app allowed the extraction of phone numbers and profile information of billions of users. Here’s more on that.
A research team from the University of Vienna disclosed that they successfully collected 3.5 billion phone numbers using what they termed a “simple” method that exploited WhatsApp’s contact-discovery feature. This mechanism is intended to check if a phone number is registered on the platform, but because WhatsApp had no effective rate limits, the system allowed millions of automated queries per hour.
By sending these automated checks, the researchers not only identified active WhatsApp accounts but also retrieved profile photos and status texts associated with many of them. They warned that if this flaw had been exploited by malicious entities, it could have resulted in the “largest data leak in history.”
According to the researchers, this vulnerability dates back to at least 2017. The timeline is also concerning since Meta had received warnings about similar privacy risks previously. WhatsApp’s contact-discovery tool, designed for convenience by syncing a user’s address book, inadvertently enabled large-scale data harvesting.
Meta acknowledged the flaw but suggested it stemmed more from an overlooked design choice than a technical bug. In a statement to Wired, WhatsApp’s vice president of engineering Nitin Gupta said, “This study was instrumental in stress-testing and confirming the immediate efficacy of (anti-scrapping) new defences We have found no evidence of malicious actors abusing this vector. As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers.”
Meta has since added rate limits to prevent excessive querying of WhatsApp numbers. The company also stated that only publicly accessible information was exposed due to the flaw. Public information on WhatsApp includes phone numbers, name and profile photos.
The researchers further revealed that they used WhatsApp Web to submit high-volume contact-discovery requests, managing to scrape millions of entries every hour. They found that profile photos were visible for about 57% of the identified accounts, while profile text was accessible for 29%.
The method reportedly worked even in countries where WhatsApp is banned such as China, Iran, Myanmar, and North Korea.
Once the scale of the issue became clear, the researchers reported the flaw to Meta and deleted the scraped database after concluding their study. According to the report, Meta took roughly six months to implement a fix and introduce proper rate limits.
Answer. Researchers found that WhatsApp’s contact-discovery feature lacked rate limits, allowing automated queries to extract 3.5 billion phone numbers, profile photos, and status texts.
Answer. No. According to Meta, only publicly accessible information like phone numbers and profile photos was exposed. Messages remained secure due to end-to-end encryption.
Answer. Meta acknowledged the issue as a design oversight, not a bug, and has since implemented rate limits to prevent mass data scraping. The flaw reportedly existed since 2017.
Highlights Redmi 17 5G and POCO M8 Plus have appeared on the BIS database hinting…
Highlights Instagram has released Instants, a new feature and separate iPhone app that lets users…
Highlights WhatsApp has launched a new Incognito Chat mode for Meta AI conversations, giving users…
Highlights iQOO 15T and iQOO Pad 6 Pro are launching on May 20 in China.…
Highlights The Redmi Turbo 5 will be the first phone from the Turbo series to…
Highlights Oppo Find X10 series is expected to include Find X10, X10s Pro, X10 Pro,…
This website uses cookies.