WhatsApp flaw exposed data of 3.5 billion users, researchers say

A recent investigation by the University of Vienna has uncovered a critical security flaw in WhatsApp that compromised the personal information of approximately 3.5 billion users globally. The issue was traced back to the application's contact discovery function, which allowed the researchers to rapidly scan numerous phone numbers to identify active accounts. Meta, the parent company of WhatsApp, was promptly alerted about this vulnerability and has since initiated corrective measures. The research team utilized an automated approach that enabled them to execute over 100 million queries each hour, resulting in the collection of user data across 245 nations. While the information obtained consisted solely of publicly accessible details—such as profile pictures, public keys, 'about' messages, and timestamps—the researchers noted that these elements could potentially disclose more sensitive insights. For instance, they were able to deduce a user’s operating system, the duration of their WhatsApp usage, and the number of devices linked to their accounts. The implications of these findings are particularly concerning, given that similar vulnerabilities had been flagged in the past. In 2017, a security expert had pointed out that WhatsApp lacked effective restrictions on the number of phone number checks, opening the floodgates for extensive data scraping. Despite this prior warning, the issue persisted until it was brought back into the spotlight by the University of Vienna's team, who demonstrated just how easily it could be exploited. During their experiment, the researchers managed to acquire 30 million U.S. phone numbers within just half an hour, continuing their data collection without facing any obstacles from WhatsApp's systems. In a response to 9to5Mac, Meta expressed appreciation for the researchers' work and acknowledged that they had identified a novel enumeration technique that circumvented existing security measures. The company emphasized that it was already in the process of enhancing its anti-scraping technologies, and the study has further validated the efficacy of these new protections. Meta also confirmed that the researchers deleted the data securely and found no indications of malicious use of the vulnerability.