Cybersecurity researchers have discovered a vulnerability in WhatsApp that, until recently, was causing users' phone numbers and profile pictures to be leaked without their knowledge.
According to a team from the University of Vienna, the flaw resulted from the lack of rate-limiting on the "contact discovery" tool, which theoretically allowed for the collection of phone numbers from most WhatsApp users, as well as profile pictures of some. Researchers were able to extract 3.5 billion phone numbers using what they described as a "simple" technique after exploiting WhatsApp's mechanism for verifying registered numbers.
They explained that the app imposed no limits on the number of checks a user could perform, allowing millions of queries per hour without alert or prevention. This enabled testing of wide number ranges and the collection of active accounts, along with their profile pictures and associated text.
The researchers warned that this vulnerability, present since at least 2017, could have led to the "largest data leak in history" if exploited by a malicious actor. They noted that the "contact discovery" feature, designed to make finding people easy by syncing the address book, inadvertently opened the door to the large-scale collection of user data.
In a comment from Meta, WhatsApp's parent company, the existence of the flaw was confirmed, but it was clarified that it resulted from a "design decision that did not account for its implications".
Nitin Gupta, WhatsApp's Vice President of Engineering, told Wired magazine:
«The study helped test and bolster a new defense system against automated data scraping. We found no evidence of misuse of this pathway, users' messages remain fully end-to-end encrypted, and the researchers did not obtain any non-publicly available data».
Meta clarified that it fixed the flaw by adding a rate limit to the number of requests that can be made to check a number on WhatsApp. The company noted that the exposed data was "public", such as phone numbers and profile pictures available to everyone.
Conversely, the researchers confirmed that using WhatsApp's web interface allowed them to send contact discovery requests on a massive scale, enabling the collection of millions of records per hour. They also revealed that 57% of the monitored accounts had their profile pictures available, while the text status of the account was visible for 29% of them.
Most alarmingly, the technique worked even in countries where WhatsApp is banned, such as China, Iran, Myanmar, and North Korea, which could expose users there to risk.
The researchers stated that they informed Meta immediately upon discovering the scope of the issue and then deleted the database after the study concluded. The company took about six months to patch the vulnerability and implement the new restrictions.
