WhatsApp has grown enormously, and it’s growth is partly due to how easy it is for people to find each other – you only need their phone number. This also means that, until very recently, every WhatsApp user’s number was easily accessible by anyone, including any nefarious hackers groups.
Austrian researchers were able extract phone numbers of all 3.5 billion WhatsApp customers. Researchers were able to view the profile photos of 57% of the 3.5 billion WhatsApp users and the text for 29%.
If your wondering what black-hat hacking magic trick the researchers used, they didn’t need to use any. They tried to add billions of phone numbers in the same manner as you would. WhatsApp will tell you if a person has an account by showing you their profile image and account text.
This is what these researchers did. But on a large scale, and using WhatsApp Web’s browser interface. They were able check around 100,000,000 phone numbers per hour in the beginning of this year. This was despite WhatsApp parent Meta being warned about this issue by another researcher in 2017.
Thankfully the Austrian researchers informed it about the problem in April and by October the company implemented rate-limiting to stop such mass-scale contact discoveries. This wasn’t implemented until many, many years later, when every type of malicious actor could have abused the system. Meta, for its part, stressed that this data was “basic publicly available information” – and that users who chose to make their profile private were not exposed. The company also assures that it “found no evidence of malicious actors abusing this vector”and “no non-public data was accessible to the researchers”Via
