WhatsApp Skipped A Very Basic Security Step

Researchers Gathered Data On 3.5 Billion WhatsApp Users In Two Days

WhatsApp has a feature which allows you to find other users via the phone number you have associated with your account.  This is handy when making a new connection and only confirms your phone number with that new connection, provides your name, any text you added to your public profile and your profile image if they have you have one.  That, in itself is not particularly terrifying, you could get the same thing from an old phone book.  That old phone book would also provide your home address which is something that WhatsApp will not provide.

The problem is that Meta hasn’t put any limits on the number of phone numbers you can query.  Researchers in Austria used Google’s libphonenumber to generate random phone numbers and successfully gathered the data of more than 3.5 billion WhatsApp users.  This was done over the course of two days, with 7,000 phone numbers queried every second, from the same account and IP address and they were never blocked nor did Meta follow up with them.

The ability to query an app infinitely is something which should never be allowed, it’s one of the first things you should do to secure a program.  The ability to do so is a scammer’s dream as they can verify active phone numbers and accounts which they can then spam.  To make things even worse, many people put personal details into their public profile which can then be leveraged for phishing.  

Thankfully Meta is working to resolve this.