New Delhi, Nov 20 (SocialNews.XYZ) A major vulnerability in WhatsApp left the personal details of nearly 3.5 billion users exposed, a research report from the University of Vienna has claimed.
The team of researchers uncovered a weakness in the platform’s contact discovery feature that allowed them to systematically check every possible phone number and identify active WhatsApp accounts on a massive scale.
Meta, the owner of the messaging service, was made aware of the problem and has taken steps to resolve the issue.
They generated over 100 million queries per hour using an automated method and ultimately gathered information on users from 245 countries.
Although the information retrieved was limited to data already visible to anyone having a phone number -- such as public keys, profile photos, "about" text, and timestamps -- the researchers said these fragments were enough to infer additional insights, including a user's operating system, how long they had been on the platform, and the number of linked devices.
But what makes the discovery even more troubling is that a similar warning had been issued eight years ago. In 2017, a security researcher had flagged the absence of limits on the number of phone number checks a user could perform-a gap that made large-scale scraping possible.
Despite this early warning, the vulnerability remained unpatched until the University of Vienna team showed just how easily it could be exploited.
They extracted 30 million U.S. phone numbers in the first half hour of testing and continued collecting data without resistance from the WhatsApp servers.
Meta, in a statement to 9to5Mac, said it appreciated the researchers' role in uncovering the vulnerability and credited the researchers for their role in identifying a novel enumeration technique that outsmarted its intended safeguards.
The company said it had already been working on advanced anti-scraping systems, and the study helped confirm the effectiveness of these new protections. Meta also confirmed the data had been securely deleted by the researchers and added that it did not find any evidence of malicious exploitation of the vulnerability.
Source: IANS
About Gopi
Gopi Adusumilli is a Programmer. He is the editor of SocialNews.XYZ and President of AGK Fire Inc.
He enjoys designing websites, developing mobile applications and publishing news articles on current events from various authenticated news sources.
When it comes to writing he likes to write about current world politics and Indian Movies. His future plans include developing SocialNews.XYZ into a News website that has no bias or judgment towards any.
He can be reached at gopi@socialnews.xyz