Cybersecurity experts have discovered a significant design flaw in WhatsApp’s contact-discovery system, a serious vulnerability that allowed the enumeration of billions of accounts.
According to the researchers, a simple weakness allowed them to easily access 3.5 billion profiles on the Meta-owned messaging application.
However, although users' messages remained encrypted, the vulnerability allowed them to access personal information, including numbers, location, and the age of someone’s account.
The researchers from the University of Vienna and SBA Research say that a security weakness permitted them to manipulate WhatsApp’s contact discovery mechanism.
They have further found that there were no limits on how many numbers this mechanism could be queried with.
By examining this fault, the researchers were able to search through 100 million phone numbers every hour and could access billions of user profiles.
In this connection, Nitin Gupta, Vice President of Engineering at WhatsApp said, “We are grateful to the University of Vienna researchers for their collaborative partnerships and diligence under our Bug Bounty program. This collaboration identified a novel record that surpassed our intended limits."
The public data that was originally available to the researchers was simply the kind of information that anyone with a user’s phone number could see.
The countries including the United States, Brazil, and Mexico have sufficient data to identify a user’s location down to the state.
The researchers have used the data collected by revealing the exposure and were able to reveal some surprising details about WhatsApp users globally.
Nonetheless, while no private messages were exposed, the design flaw in the system allowed the researchers to confirm the existence of nearly 3.5 billion WhatsApp accounts.
In addition, Meta has been implementing measures to close the flaw, underscoring the ongoing challenges of securing public data in global messaging platforms.
