WhatsApp is huge, and its growth has come from how easy it is to find people using the service — all you need is their phone number. Unfortunately, this also means that every WhatsApp user’s phone number was, very recently, easily obtainable by anyone.
This has been revealed by Austrian researchers, who were able to extract phone numbers for all 3.5 billion WhatsApp users. And for about 57% of those 3.5 billion users, the researchers were also able to access their profile photos, and for another 29%, the text on their profiles.
If you’re thinking that black hat hacking magic tricks need to use them, well, no. They’ve basically tried and added billions of numbers – that’s how you want to go about it. You add a number and then WhatsApp tells you if the person using that number has an account, and shows you their profile picture and account text.
That is, these researchers only used the browser-based interface of the service, using WhatsApp Web on a larger scale. They managed to check 100 million phone numbers per hour earlier this year, after WhatsApp parent Meta failed to do anything about it when another researcher alerted them to the problem in 2017.
Thankfully, Austrian researchers notified it of the problem in April and by October, the company implemented rate limiting to prevent mass contact discovery. But of course. , it wasn’t enforced for many, many years, during which all sorts of nefarious actors could exploit the system.
For its part, Meta asserted that all of this data is “basically available information” and that profile photos and text are not exposed to users who chose to make it private. The company also assured everyone that it “found no evidence of malicious actors using this vector”, and “no non-public data was accessible to researchers”.
Source | by
