Viennese Researchers Uncover Mega Security Flaw in WhatsApp

Viennese researchers have discovered a major security vulnerability in WhatsApp. Due to the weakness in the so-called Contact Discovery Mechanism of the messenger, they were able to conduct a comprehensive evaluation of all WhatsApp accounts worldwide and identify 3.5 billion WhatsApp accounts, the University of Vienna announced on Tuesday. According to the release, WhatsApp has since resolved the issue in collaboration with the researchers and closed the gap.

Vulnerability in Contact Matching Exploited

When a WhatsApp user saves a new phone number in their phone, they quickly see if there is an option to contact this person via WhatsApp. This is because WhatsApp synchronizes the phonebook with the server of Meta, the operator of WhatsApp, in the background, explained Gabriel Gegenhuber from the University of Vienna to the APA. The computer scientist, along with his colleagues from the University of Vienna and SBA Research, a research center for information security, demonstrated how this Contact Discovery Mechanism can be misused for large-scale user enumeration.

3.5 Billion WhatsApp Accounts Identified – Including Prohibited Countries

The researchers managed to query more than 100 million phone numbers per hour from the server. As a result, they were able to confirm more than 3.5 billion active accounts worldwide. Whether these are indeed all existing WhatsApp accounts is not exactly known to the computer scientists, "but roughly it should be about right," it is at least the lower limit, according to Gegenhuber.

"Typically, not so many requests should be answered in such a short time and from one source or server," explained Gegenhuber. Due to the security vulnerability, however, the researchers were able to make unlimited requests to the server and thus conduct a worldwide survey.

This allowed them to collect data such as phone numbers, public keys necessary for end-to-end encryption, timestamps, and - if set publicly - profile pictures and About text. From this data, the experts were able to extract additional metadata that allowed conclusions about the users' operating system, the age of the account, and the number of connected secondary devices, such as for WhatsApp Web.

Connection to Facebook Leak of 2021

The research team was also able to identify millions of active WhatsApp accounts in countries where the platform is officially banned, such as China, Iran, and Myanmar. They further showed that almost half of all phone numbers that appeared in the Facebook data leak of 2021 were still active on WhatsApp. In this leak, the personal data of more than 530 million Facebook users worldwide was published on the internet. For the Vienna researchers, this highlights an ongoing risk for compromised numbers, such as becoming the target of scam calls.

Meta Responded and Closed Security Gap

The experts were also able to gain some general insights about WhatsApp users. This includes the global distribution of Android (81 percent) versus iOS devices (19 percent), regional differences in privacy behavior, such as the use of public profile pictures or about texts, as well as differences in the activity and growth of WhatsApp accounts in different countries.

The computer scientists reported their findings to Meta, the operator of WhatsApp. Since then, they have closed the vulnerability.

It is emphasized that the study did not access the end-to-end encrypted message contents and no personal data was published or shared. All retrieved data was deleted before the publication of the study results.

Criticism of Metadata Collection Despite Encryption

End-to-end encryption protects the content of messages, but not necessarily the associated metadata, emphasizes co-author Aljosha Judmayer from the University of Vienna. The work, whose results will be officially presented at a conference in the USA in February, shows that "privacy risks can also arise when such metadata is collected and analyzed on a large scale".

(APA/Red)

This article has been automatically translated, read the original article here.