Critical Warning for WhatsApp Users: Major Security Flaw Discovered
An alarming alert has been issued to WhatsApp users following the revelation of a significant vulnerability by cybersecurity specialists.
Researchers have disclosed that a seemingly innocuous flaw facilitated access to an astonishing 3.5 billion profiles on the Meta-owned messaging platform.
While individual messages remained shielded by encryption, the researchers successfully harvested extensive volumes of ‘metadata’.
This data encompassed personal details such as phone numbers, geographic locations, device types, and account ages.
Experts from the University of Vienna and SBA Research identified a security lapse, enabling exploitation of WhatsApp’s intrinsic contact discovery mechanism.
This feature typically allows the app to access a user’s contact directory to identify other WhatsApp users via their phone numbers.
However, the researchers uncovered an absence of limits on the number of contacts that could be searched through this mechanism.
By capitalizing on this vulnerability, they could traverse through 100 million phone numbers each hour, unlocking billions of user profiles. Cybersecurity experts have issued an urgent warning after discovering a security flaw that allowed access to 3.5 billion WhatsApp profiles.
Lead researcher Gabriel Gegenhuber of the University of Vienna stated, “Typically, a system should not yield such a high number of requests in such a brief interval, particularly from a singular source.”
“This anomaly unveiled the underlying flaw, permitting us to generate effectively limitless requests to the server, thereby mapping user data globally.”
Employing this technique, the researchers unearthed a treasure trove of data from WhatsApp accounts spanning 245 nations.
In collaboration with the researchers, Meta has confirmed that the issue has now been “addressed and mitigated.”
Nitin Gupta, Vice President of Engineering at WhatsApp, remarked, “We were already implementing industry-leading anti-scraping systems, and this study was crucial for stress-testing and confirming the immediate effectiveness of these new protections.”
“Importantly, the researchers have securely deleted the data collected during this study, and we have found no evidence of malicious actors exploiting this pathway.”
Gupta also emphasized that user messages remained secure and private, asserting that WhatsApp’s end-to-end encryption was not compromised at any stage.
Nonetheless, the researchers contend that their findings underscore the risks associated with centralizing global messaging on a limited number of applications. Researchers were able to extract enough data from users’ profiles to identify their location down to the state.
Researchers managed to access accounts by exploiting WhatsApp’s contact discovery mechanism. Experts confirm the flaw has been rectified, with no cybercriminals utilizing it.
The initial publicly available data was essentially the type of information anyone with a user’s phone number could discern.
However, the researchers also managed to extract supplementary information, enabling them to ascertain a user’s operating system, account age, and the number of linked devices.
In countries such as the United States, Brazil, and Mexico, there was sufficient data to pinpoint users’ locations down to the state level.
This exposure could potentially render users susceptible to scam calls or various forms of attacks.
Co-author Dr. Aljosha Judmayer commented, “End-to-end encryption secures the content of messages, but does not necessarily safeguard the associated metadata.”
“Our work illustrates that privacy risks can manifest even when such metadata is aggregated and analyzed on a grand scale.”
Utilizing the data gathered through this exploration of the vulnerability, the researchers unveiled surprising insights regarding WhatsApp’s global user base.
For instance, they noted that millions of active accounts exist within nations where WhatsApp is officially prohibited. Researchers found millions of active accounts in countries where the app is formally banned, including China, Iran, and Myanmar.
These nations, including China, Iran, and Myanmar, maintain stringent controls over access to global internet services.
More worryingly, the researchers identified that half of the 500 million phone numbers exposed during the 2021 Facebook leak remain active on WhatsApp.
The leak, which included full names, phone numbers, locations, and birth dates of users from 2018 to 2019, was publicly disclosed on a hacking forum.
Ireland’s Data Protection Commission subsequently levied a €265 million (£233 million) fine on Meta for failing to comply with data protection regulations.
The researchers caution that there are persistent and elevated cybersecurity threats for individuals utilizing phone numbers that have previously been compromised in this breach.
Source link: Dailymail.co.uk.
