This doesn't seem like much of a leak. It sounds like users created public profiles that would be shown to anyone who entered their phone number while searching for other users.
The researchers managed to get a list of users and the public information in their profile by looking up random numbers, but all they got was the public information users put in their profiles.
Since facebook didn't rate limit the researchers (or anyone else) it allowed them to collect a big dataset of publicly avilable information, so shame on facebook (as if they had any), but it's not like people's secret/private data was exposed. Nobody should be upset that the photo they uploaded and put on the internet as their public profile picture gets seen by somebody else. People who don't want their "sexual orientation, political views, drug use" or whatever known shouldn't put that in their profile where anyone and everyone can see it.
I get this is snarky and it being HN I'll now collect my downvotes, but really, I can't not hear Whatsapp without also thinking Facebook; the entire product may as well be a security vuln
Funny timing, we just published an RFC on a contact-matching scheme that's intended to be resilient to this kind of enumeration attack at the cost of reduced discovery. We're soliciting feedback so now's a good time to share the link - https://docs.bsky.app/blog/contact-import-rfc
Specifically, the endpoint allowed asking if a given phone number had a whatsapp account. Scaled up to ~all phone numbers. That doesn't seem like a major vulnerability.
Why is it OK to allow enumeration of accounts with a given phone number, when it is generally considered to be a privacy and security violation to allow someone to enter email addresses and confirm if they have an account with a service or app?
I've never understood this idea that phone numbers shouldn't be protected the same as email addresses or other personal information.
This is not a security vulnerability, it’s been documented in the user interface for years. That’s why I have no profile picture and no status. You clearly opt into “everyone” viewing it, and it’s obvious this it is literally anyone, because when you add a new contact, you simply enter their phone number and can see their profile picture and status. It doesn’t take a leap of imagination to enumerate that for the space of valid phone numbers.
One of the most regrettable things. Humans should have had the most popular private chat application. But the figure of 19 billion USD in 2014 blinded Brian Acton. What he does with Signal now can never compensate for the trust of billions of users being sold to Mark Zuckerberg.
The EU had one job, and it was to block this deal. It was obvious that a company with no income and no real monetization model is not worth 19 Billion, and that Facebook is after the users. But no, they let it go through with some bs conditions. But hey, at least they forced apple to use usb-c, that made a real difference
> highlights the risks associated with the centralization of instant messaging services
That seems to be the takeaway.
Centralization of just about anything is an issue, not just messaging.
However, users still want/need the kinds of advantages that we get from monopolies/centralization, and implementing them in distributed systems is really hard.
What concerns me is that only thing stopping someone from enumerating the entire set of all possible phone numbers is effective server-side rate limiting. What are the current rate limits for each messenger, and are they sufficient? (per this paper, probably not)
I can't imagine the scrutiny you must face when your product becomes so mainstream that researchers literally work on identifying security vulnerabilities.
this is just... enumeration of phone numbers?
how is this a 'security vulnerability'? an issue maybe, but it's not a vulnerability as that implies faulty code; this is a documented feature.
Why isn't it a privacy and security problem if it is just done for a single phone number?
What is this was not WhatsApp, but it was a website or service dedicated to something unethical or illegal or just extremely embarrassing? Something that could ruin a marriage or career if it was known someone was a registered user? Would it be OK if someone could punch in phone numbers to find out who is registered on these sites?
What if someone automated and correlated this information to produce a profile for a phone number of all the shady/embarrassing services that phone number is associated with?
I’ve actually thought of doing this myself, but there isn’t really much value in enumerating active phone numbers. Lest you run a full scale scam operation cold calling people to phish for their banking info.
My entire PII is already leaked elsewhere in other breaches.
> Nearly half of all phone numbers that appeared in the 2021 Facebook data leak of 500 million phone numbers (caused by a scraping incident in 2018) were still active on WhatsApp. This highlights the enduring risks for leaked numbers (e.g., being targeted in scam calls) associated with such exposures.
Fascinating to me as this seems to imply that a phone number has a half-life of about 4-5 years (unless the fact of the leak persuaded a significant number of people to change their number, which I suppose is unlikely?)
I don't know if it's related but this morning I realized that I'd been logged out of my Whatsapp account. When I tried to log back in, I couldn't get Whatsapp to confirm my phone number. I didn't get the SMS they sent for the recovery code. Thankfully "call me" option worked for receiving the recovery code. But then I was asked a 2fa PIN which I (unfortunately) never had set up. "Forgot my PIN" also didn't send an email to my account (which I'm pretty sure I also hadn't set up anyway).
Currently I'm waiting to hear from Whatsapp support and/or the 7 day waiting time to be over to reset my account. It is bizarre that I am not able to recover my account when I still own my phone number (I can still receive SMS on it).
I would consider myself very cautious about clicking suspicious links, of course one can never be 100% sure. This was very disconcerting.
As a reminder for all Whatsapp users, please set up your 2FA PINs and recovery emails.
If this is a security vulnerability, then these guys just documented their exploitation of said vulnerability. Sounds like a crime.
Proper research would be to identify an issue, write up the issue, conduct a handful of tests, report the issue. Improper research is enumerate the entire input space and gather as much data as you can from the target.
29 comments
[ 3.2 ms ] story [ 48.9 ms ] threadSince facebook didn't rate limit the researchers (or anyone else) it allowed them to collect a big dataset of publicly avilable information, so shame on facebook (as if they had any), but it's not like people's secret/private data was exposed. Nobody should be upset that the photo they uploaded and put on the internet as their public profile picture gets seen by somebody else. People who don't want their "sexual orientation, political views, drug use" or whatever known shouldn't put that in their profile where anyone and everyone can see it.
Never gonna happen.
https://news.ycombinator.com/item?id=1692122
https://news.ycombinator.com/item?id=25662215
I get this is snarky and it being HN I'll now collect my downvotes, but really, I can't not hear Whatsapp without also thinking Facebook; the entire product may as well be a security vuln
I assume it can be related to this leak? Knowing someone uses a service can increase the effectiveness of targeted phishing.
Interestingly it’s harder to block these senders that do not advertise a number on sms.
I've never understood this idea that phone numbers shouldn't be protected the same as email addresses or other personal information.
That seems to be the takeaway.
Centralization of just about anything is an issue, not just messaging.
However, users still want/need the kinds of advantages that we get from monopolies/centralization, and implementing them in distributed systems is really hard.
What concerns me is that only thing stopping someone from enumerating the entire set of all possible phone numbers is effective server-side rate limiting. What are the current rate limits for each messenger, and are they sufficient? (per this paper, probably not)
What is this was not WhatsApp, but it was a website or service dedicated to something unethical or illegal or just extremely embarrassing? Something that could ruin a marriage or career if it was known someone was a registered user? Would it be OK if someone could punch in phone numbers to find out who is registered on these sites?
What if someone automated and correlated this information to produce a profile for a phone number of all the shady/embarrassing services that phone number is associated with?
My entire PII is already leaked elsewhere in other breaches.
> Nearly half of all phone numbers that appeared in the 2021 Facebook data leak of 500 million phone numbers (caused by a scraping incident in 2018) were still active on WhatsApp. This highlights the enduring risks for leaked numbers (e.g., being targeted in scam calls) associated with such exposures.
Fascinating to me as this seems to imply that a phone number has a half-life of about 4-5 years (unless the fact of the leak persuaded a significant number of people to change their number, which I suppose is unlikely?)
Currently I'm waiting to hear from Whatsapp support and/or the 7 day waiting time to be over to reset my account. It is bizarre that I am not able to recover my account when I still own my phone number (I can still receive SMS on it).
I would consider myself very cautious about clicking suspicious links, of course one can never be 100% sure. This was very disconcerting.
As a reminder for all Whatsapp users, please set up your 2FA PINs and recovery emails.
Proper research would be to identify an issue, write up the issue, conduct a handful of tests, report the issue. Improper research is enumerate the entire input space and gather as much data as you can from the target.