Khaberni - Cybersecurity researchers have uncovered a flaw in the WhatsApp application that until recently resulted in the leaking of users' phone numbers and profile pictures without their knowledge.
According to a team from the University of Vienna, the flaw was caused by a lack of rate limiting in the "Contact Discovery" tool, theoretically allowing the collection of phone numbers of most WhatsApp users, in addition to some of their profile photos.
Researchers were able to extract 3.5 billion phone numbers using a technique they described as "simple," by exploiting WhatsApp's mechanism for verifying registered numbers.
They explained that the app did not impose any limits on the number of verification operations a user could perform, as it was possible to execute millions of queries per hour without alert or prevention, which allowed testing of wide ranges of numbers and gathering data on active accounts, profile photos, and associated descriptive texts.
The researchers warned that this flaw, present since at least 2017, could have led to "the largest data breach in history" if exploited by malicious actors.
They noted that the "Contact Discovery" feature, designed to make it easy to find people by syncing the address book, unintentionally opened the door to collecting user data on a large scale.
In a comment from Meta, the owner of the WhatsApp service, it confirmed the existence of the flaw but explained that it was the result of "a design decision that did not consider its implications."
Nitin Gupta, Vice President of Engineering at WhatsApp, said in a statement to Wired magazine: The study helped in testing and strengthening the new defense system against automated data scraping operations, and we found no evidence of misuse of this pathway. User messages remain fully encrypted, and the researchers did not obtain any undisclosed data.
Meta clarified that it had fixed the bug after adding a limit to the rate of requests that can be made to verify the existence of a number on WhatsApp, indicating that the exposed data was "public" such as phone numbers and publicly available profile pictures.
In contrast, the researchers confirmed that their use of the WhatsApp web interface enabled them to send contact discovery requests on a massive scale, allowing the collection of millions of records every hour.
They revealed that 57% of the accounts they detected had their profile pictures available, while the text status of the accounts was visible in 29% of them.
Moreover, the technique succeeded even in countries where WhatsApp usage is banned, such as China, Iran, Myanmar, and North Korea, which could pose a risk to its users there.
The researchers said they informed Meta immediately upon discovering the extent of the problem, then deleted the database after completing the study, while the company took about 6 months to fix the flaw and impose the new restrictions.
