A critical vulnerability was discovered in the popular messenger WhatsApp, which allowed for the extraction of phone numbers of almost all its subscribers—amounting to nearly 3.5 billion people. Most vexingly, experts had been signaling the existence of this flaw since 2017, but the developer was slow to fix the drawback until recently. Employees from the University of Vienna reported that they managed to exploit a very simple method: WhatsApp allows you to check whether a specific phone number is linked to an account in the application, and often displays the user’s name and avatar in response. By repeating similar requests millions and billions of times, a substantial database of phone contacts could be accumulated. For a long time, WhatsApp had no limits on the number of such requests. According to one of the researchers, Aljosa Udjmajer, it took them just half an hour to obtain an initial 30 million numbers from the United States. Data collection continued automatically thereafter, essentially without any obstacles. He calls what happened “the largest collection of phone numbers and accompanying information.” The scientists conducted their research as part of the Bug Bounty initiative, and upon completion of the audit, they independently deleted the collected data and informed Meta company itself about the problem. In a response statement, Meta indicated that the collaborative effort helped test new data collection protection methods (anti-scraping) that were already under development. Furthermore, Meta emphasizes that no instances of hackers exploiting the vulnerability have been discovered, and users’ private chats remained protected by end-to-end encryption. Nevertheless, it still took Meta about half a year to implement a basic limit on the frequency of requests, which is presumed to have eliminated the loophole. The researchers are convinced that if this method had fallen into the hands of malicious actors, it could have amounted to an unprecedented case of personal data leakage.
About the Author
