A new research has shed light on a massive WhatsApp enumeration flaw that allowed them access to 3.5 billion users’ phone numbers and profile photos. This severe vulnerability is likley to allow hackers to access user names, phone numbers, profile photo, and even About Us section easily. If this dataset fell into the wrong hands, it could one of the largest data breach through a single vulnerability.
The research was conducted by researchers from the University of Vienna and SBA Research. It showed how they took advantage of a severe WhatsApp vulnerability to access more than 3.5 billion phone numbers. The vulnerability was found in WhatsApp’s contact discovery feature.
WhatsApp vulnerability explained
This feature checks if phone numbers from a user’s book are registered on WhatsApp or not. The research suggests that the ream was able to query billions of potential mobile numbers at a staggering rate of up to 7,000 per second without effective rate limiting or blocking. This enabled a complete ‘census’ of WhatsApp accounts worldwide, covering users in 245 countries.
What WhatsApp personal data could be accessed?
Apart from phone numbers, the researcher could access publicly available profile details, including display names, profile photos, and ‘About’ status text.
The report says that profile photos were present in over 57 percent of active accounts, and the about text was available for 29 percent of accounts, often revealing highly sensitive details such as sexual orientation, political views, drug-related information, professional email addresses, or links to other platforms like LinkedIn or Tinder.
Did Meta rectify this WhatsApp flaw?
This massive WhatsApp flaw was disclosed to Meta via its bug bounty program earlier thi syear. Since then, Meta has implemented stricter defences, and that the flaw has now been blocked. The company has confirmed that no evidence of malicious exploitation was found. The researchers claim that the collected data was securly deleted. Messages inside WhatsApp remain end-to-end encrypted so private chates remain unexposed.
What could be the consequences of data breach?
However, the gravity of this exposed WhatsApp vulnerability is profound. It is possibly one of the largest compilations of personal data ever assembled through a single vulnerability. If this fell into the hands of unethical users, it could trigger widespread spam, targeted phishing, identity theft, or harassment. Millions of active WhatsApp accounts were identified in banned countries like China, Iran, North Korea, and Myanmar as well.
