WhatsApp is huge, and its growth came in part from how easy it is to find people using the service – all you need is their phone number. Unfortunately, this also means every WhatsApp user’s phone number was, up until very recently, easily obtainable by anyone -including any nefarious hacker group out there.
This has been revealed by Austrian researchers, who were able to extract phone numbers for all 3.5 billion WhatsApp users. And for around 57% of those 3.5 billion users, the researchers were also able to access their profile photos, and for another 29%, the text on their profiles.
If you’re wondering what black hat hacking magic trick they needed to use, well, none. All they did is basically try and add billions of numbers – in the same way you’d go about it. You add a number and then WhatsApp tells you if the person using that number has an account or not, and shows you their profile picture and account text.
That’s it, that’s what these researchers did, only on a massive scale, using WhatsApp Web, the service’s browser-based interface. They were able to check around 100 million phone numbers per hour earlier this year, since, despite WhatsApp parent Meta having been warned about this issue in 2017 by another researcher, it failed to do anything about it.
Thankfully, the Austrian researchers notified it in April about the problem and by October, the company did implement rate-limiting to prevent such mass-scale contact discovery. But of course, this wasn’t implemented for many, many years, during which every type of nefarious actor could have exploited the system.
For its part, Meta stressed that all of this data is “basic publicly available information” and that profile photos and text weren’t exposed for users who opted to make that private. The company also assures everyone that it “found no evidence of malicious actors abusing this vector”, and “no non-public data was accessible to the researchers”.
Source | Via