A Simple WhatsApp Security Flaw Exposed 3.5 Billion Phone Numbers
Mass adoption of WhatsApp Part of this comes from how easy it is to find a new contact on the messaging platform: add a person’s phone number and WhatsApp instantly shows whether they’re on the service, along with often their profile picture and name.
It turns out that you repeat this same trick a billion times with every possible phone number, and the same feature can also be a convenient way to get the cell number of virtually every WhatsApp user on earth, as well as, in many cases, profile photos and text identifying each of those users. The result is a sprawling exposure of the personal information of a significant fraction of the world’s population.
A group of Austrian researchers have now shown that they were able to use this simple method of checking all possible numbers in WhatsApp’s Contact Discovery to extract the phone numbers of 3.5 billion users of the messaging service. For around 57% of these users, they also found that they could access their profile photos, and for 29%, their profile text. Despite a previous warning about WhatsApp’s exposure of this data by another researcher in 2017, they say, the service’s parent company, Meta, still failed to limit the speed or number of contact discovery requests that researchers could make by interacting with WhatsApp’s browser-based app, allowing them to check about a hundred million numbers per hour.
The result would be “the largest data leak in history, had it not been collected in a responsibly conducted study,” as the researchers describe in a paper documenting their findings.
“To our knowledge, this is the most extensive exposure of phone numbers and associated user data ever documented,” says Aljosha Judmayer, one of the University of Vienna researchers who worked on the study.
The researchers say they notified Meta of their findings in April and deleted their copy of the 3.5 billion phone numbers. By October, the company had resolved the counting problem by adopting a stricter “rate limiting” measure that prevents the large-scale contact discovery method used by researchers. But until then, the data exposure could also have been exploited by anyone using the same scraping technique, adds Max Günther, another researcher at the university who co-wrote the paper. “If we could get this back very easily, others could have done the same,” he says.
In a statement to WIRED, Meta thanked the researchers, who reported their discovery through Meta’s “bug bounty” system, and described the exposed data as “publicly available basic information,” since profile photos and text were not exposed for users who chose to make them private. “We had previously worked on cutting-edge anti-scraping systems, and this study was instrumental in stress testing and confirming the immediate effectiveness of these new defenses,” writes Nitin Gupta, vice president of engineering at WhatsApp. Gupta adds: “We found no evidence of bad actors abusing this vector. As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to researchers.”
