One of the biggest reasons WhatsApp achieved its massive user base was that a phone number alone was enough to locate a person. Unfortunately, this simplicity also brought with it a major security vulnerability: Until very recently, the phone numbers of all WhatsApp users were easily obtained by anyone, including malicious hackers.
Phone Numbers Could Be Leaked with a Simple Method!
This shocking incident, uncovered by Austrian researchers, has exposed the app’s security vulnerability. The researchers managed to obtain the phone numbers of all 3.5 billion WhatsApp users. It was reported that the profile photos of approximately 57% of these users and the profile texts of 29% were also accessed.
The fact that no sophisticated “hacking” method was required for this massive data leak only exacerbates the situation. The researchers explained that the method they used to obtain this data was essentially identical to that of any other user.
The method was incredibly simple: When you added a phone number to your contacts and saved it to WhatsApp, the app would show you if an account used that number, and if the account was public, it would also display the profile photo and text.
The researchers performed this process on a massive scale, using WhatsApp’s browser-based interface, WhatsApp Web. Earlier this year, it was reported that they were able to check approximately 100 million phone numbers per hour using this method.
It turned out that WhatsApp’s parent company, Meta, had been warned about this issue by another researcher in 2017, but despite this warning, it had failed to take any action for many years. Fortunately, Austrian researchers notified Meta in April, and the company finally implemented rate limiting in October to prevent mass-scale contact discovery. However, the fact that this measure came after years of exploitation by malicious actors caused significant concern.
Meta, however, defended itself against this revelation. The company emphasized that all the leaked data was “essentially public information” and that the data of users who chose to keep their profile photos and text private had not been exposed. Meta also stated that they “found no evidence” that malicious actors were exploiting this vector, and that researchers “did not have access to any non-public data.”
{{user}} {{datetime}}
{{text}}