Major WhatsApp security Flaw Exposed 3.5 Billion Users’ Metadata
Vienna, Austria – Researchers at the University of Vienna and SBA Research have discovered a significant security vulnerability in whatsapp, possibly impacting all 3.5 billion of its users. The flaw resided within the app’s contact discovery feature, allowing researchers to identify and collect metadata from a vast number of accounts – including approximately 8.4 million in Switzerland. A preprint of the study detailing the findings is available here.
The researchers exploited the contact discovery mechanism, which normally displays which of a user’s phone contacts also use WhatsApp. By querying the server with up to 100 million phone numbers per hour, they were able to map active WhatsApp accounts across 245 countries.
Data Affected:
The collected data included phone numbers, public keys, timestamps, publicly available profile pictures, and “about” texts. This metadata could be used to infer additional details, such as account age and associated devices. Importantly, the study confirms that private message content remained protected due to WhatsApp’s end-to-end encryption. though, researchers emphasize the risks associated with large-scale metadata collection and analysis.
“Our work shows that data protection risks can also arise when such metadata is collected and analyzed on a large scale,” stated Aljosha judmayer of the University of Vienna.
Global Insights & Risks:
The research revealed surprising usage patterns. Millions of WhatsApp users were identified in countries where the app is officially banned, including China, Iran, and Myanmar. The study also showed that 81% of users utilize android, while 19% use iOS. Moreover, the researchers observed variations in data protection practices and account activity across different nations.
concerningly, the study found instances of security key reuse across multiple devices and phone numbers, potentially indicating the use of unofficial WhatsApp versions or fraudulent activity. Half of the 500 million numbers previously compromised in the 2021 Facebook data leak were also found to be active on WhatsApp, leaving those users vulnerable.
Meta’s Response:
Researchers promptly alerted Meta (WhatsApp’s parent company) to the vulnerability and deleted all collected data prior to publication. Meta has since implemented countermeasures.
Nitin Gupta, VP of engineering at WhatsApp, stated, “This collaboration identified a novel enumeration technique that went beyond our intended limits and enabled researchers to scrape basic publicly available information. we had already worked on industry-leading anti-scraping systems,and this study was critical to stress testing and confirming the immediate effectiveness of these new defenses.”
Meta maintains there is currently no evidence of the vulnerability being exploited for malicious purposes.
Related Coverage:
* recent WhatsApp Security Hole Affecting iPhones and Macs
* Swisscybersecurity.net Newsletter – Stay informed about cybercrime and cybersecurity threats.
