Funny timing, we just published an RFC on a contact-matching scheme that's intended to be resilient to this kind of enumeration attack at the cost of reduced discovery. We're soliciting feedback so now's a good time to share the link - https://docs.bsky.app/blog/contact-import-rfc
Related to Zero Knowledge Proofs, the advantage is that phone numbers need never be shared in cleartext, preempting whole classes of attacks. However, could be overkill for your needs, and I am not sure how well current techniques would scale.
Ah its great you bring this up, it's timely as my app is adding contacts syncing soon and I want to do it in a secure/private way. If you choose to go ahead with this, are there any plans to make it open source? ty!
The RFC addresses security, but does not mention anything about privacy.
I think the scheme ultimately boils down to trusting the server/instance.
It would be great if users don't have to share the actual number with the server,
a hash or something like that but that would make it impossible to verify the number and verification is required to prevent spoofing.
Another way maybe is to have a trusted 3rd party (something like EFF, LetsEncrypt) that can be used by users to validate their numbers and applications can get the hashes from there.
Ok, let’s not have the is Bluesky decentralised discussion again. Kudos to Bluesky’s PR efforts to use complex technology to basically sell themselves as whatever people want to hear (like NFTs but social media). There are a number of X/Threads clones out there, but I’d take a group chat on some relatively secure messaging platform over “social media” any day. Even better if it’s something I can self host or join into one from many servers (remember IRC? Good times).
We really need to rethink this “one corp owns all the keys and all servers” setup.
> Nearly half of all phone numbers that appeared in the 2021 Facebook data leak of 500 million phone numbers (caused by a scraping incident in 2018) were still active on WhatsApp. This highlights the enduring risks for leaked numbers (e.g., being targeted in scam calls) associated with such exposures.
Fascinating to me as this seems to imply that a phone number has a half-life of about 4-5 years (unless the fact of the leak persuaded a significant number of people to change their number, which I suppose is unlikely?)
> highlights the risks associated with the centralization of instant messaging services
That seems to be the takeaway.
Centralization of just about anything is an issue, not just messaging.
However, users still want/need the kinds of advantages that we get from monopolies/centralization, and implementing them in distributed systems is really hard.
I wonder if there was ever a path for solving this early, like, we made email and that proliferated, if only we'd landed on better identity management first, would we be in some digital messaging utopia.
Would the world be better if we'd been saying "whats your public key?" instead of "whats your email?" in the 90s?
Maybe, but, in practice, email has been basically centralized too. For most people, it's just too convenient to get a gmail account for free, and forget about any maintenance headache.
But that only started when gmail launched with a deal that was too good to refuse (a mailbox that was huge for the time, and grew bigger over time). Before that most people just used the free email account they got from their ISP. That also comes without maintenance headache for the user and is at least somewhat less centralized
The public keys won't be stable as we would need to rotate them. We need both a stable identity and a proof of that identity. Security is not very user friendly and would have made the digital tech even more fringe. One of the reasons email and web took off was its comparative ease of use.
For messaging i think early skype had it sorted more or less , decentralised - widely used and intuitive identity.
If it had been allowed to evolve identity maybe like email(matrix or even bsky) got federated with custom servers/identities and handles that could still interoperate, would be nice. Instead MS bought it and ran it into the ground.
I think tech companies would've eventually attempted to build some walls around that and monetise it. Regardless of technology, the challenge is someone wants to "take this to the next level" - as long as it's investor driven, it remains "open" only as long as that brings more money or community good will
You trust it more than your government. Which stands to reason at the moment if you are in the US. But there are competent, more trustworthy governments in other parts of the world. And other companies people might trust more than Meta.
Decentralization allows people to choose who they trust. Or rather requires them to really
Specifically, the endpoint allowed asking if a given phone number had a whatsapp account. Scaled up to ~all phone numbers. That doesn't seem like a major vulnerability.
It's a feature for many of us, it is for me, cause when I input a new phone number in my contacts (like let's say a plumber's phone number I found on the internet) I first go to WhatsApp to check if they've got a profile there, in which case I contact them directly using WhatsApp, not via voice-call/SMS.
this is just... enumeration of phone numbers?
how is this a 'security vulnerability'? an issue maybe, but it's not a vulnerability as that implies faulty code; this is a documented feature.
I agree with this, but not the rest. It is not a security vulnerability, and I am not sure it being a privacy-sensitive endpoint either. Like someone pointed out, if you check one of your contacts and they have WhatsApp, you can tell, and you can message them from there. This is a feature.
I agree that there should be rate limiting of some sort.
For example, while everybody can physically go to your house and look at it from the street, somebody setting a webcam up and pointing it at the same house from the same vantage point would be a very different story and is illegal in many jurisdictions as a result.
they claim to have achieved a rate of 7,000/s, which is roughly 25M/h
i do agree that is an absurd amount, especially when paired with the lack of rate limiting as discussed in their paper.
> "[...] Moreover, we did not experience any prohibitive rate-limiting. With our query rate of 7,000 phone numbers per second (and session), we could confirm 3.5 B phone numbers registered on WhatsApp [...]"
prior to my initial comment, i was under the impression they had encountered ratelimiting and bypassed it, it appears this initial assumption was incorrect.
i agree that it is ridiculous, though i faulter on calling it a vulnerability as in my eyes that term is specifically for unintended side affects / exploitation.
assuming a reasonable ratelimit, say 100 lookups per day (maybe some exceptions if the lookup results in an account that already has you in contacts, idk) - this would significantly reduce the amount of scraping that can be done.
contact lookup is a required function of whatsapp, the issue this paper highlights is that there is no protection against mass scraping
One of the most regrettable things. Humans should have had the most popular private chat application. But the figure of 19 billion USD in 2014 blinded Brian Acton. What he does with Signal now can never compensate for the trust of billions of users being sold to Mark Zuckerberg.
What concerns me is that only thing stopping someone from enumerating the entire set of all possible phone numbers is effective server-side rate limiting. What are the current rate limits for each messenger, and are they sufficient? (per this paper, probably not)
This is not a security vulnerability, it’s been documented in the user interface for years. That’s why I have no profile picture and no status. You clearly opt into “everyone” viewing it, and it’s obvious this it is literally anyone, because when you add a new contact, you simply enter their phone number and can see their profile picture and status. It doesn’t take a leap of imagination to enumerate that for the space of valid phone numbers.
Yes, and those people didn't get their profile pictures exposed through this phone number enumeration. If they had, then maybe it would have qualified as a security breach.
OK... but it's not phone number enumeration. You need to give it a phone number to check if whatsapp acc is registered for it. So you need to have a collection of phone numbers first. If you have a collection of all phone numebrs in the world then you could enumerate whatsapp accounts.
The most interesting vulnerability is the reuse of cryptographic keys, some of it apparently by design, like when transferring one's account to a new number - this can apparently be used to correlate identities despite the change of phone number.
Also, from examining the published data set I found it interesting that there are only five WhatsApp users registered in North Korea. I wonder who they are.
I’ve actually thought of doing this myself, but there isn’t really much value in enumerating active phone numbers. Lest you run a full scale scam operation cold calling people to phish for their banking info.
My entire PII is already leaked elsewhere in other breaches.
I can't imagine the scrutiny you must face when your product becomes so mainstream that researchers literally work on identifying security vulnerabilities.
WhatsApp has avoided the pressure of E2EE backdoors and whatever politics because they were never needed.
1. They collect all the metadata in unencrypted format and link it to phone numbers, making a huge social graph.
2. Backups are not encrypted by default and enabling of them is pushed. So the messages were never actually encrypted for most people and police can get messages without the actual phone.
3. iCloud E2EE backup fight in UK was mostly because of 2. as people started to opt-in for encryption.
> That doesn't make any sense. Why did uk want to start a fight over icloud E2EE backups (opt-in) but not whatsapp E2EE backups (opt-in)?
Default iCloud backup always included WhatsApp too, even if it was disabled in the app or the app used encrypted backups. And many other things, so it was not only about WhatsApp. Even for WhatsApp alone, it was slightly more useful.
That’s not gonna happen because the whole idea is to link your real identity to the digital one, which is why you should never trust any company that refuses to give you an alternative option to the phone number.
But you had the option of having an unlisted or unpublished phone number. To give one datapoint, in Los Angeles in the 1980s about half of all numbers were unlisted. I would expect that the unlisted rate was much higher in big cities like L.A. compared to the rest of the country.
What I find fascinating is that people paid for privacy. Yes, indeed, people paid several dollars extra per month to maintain an unlisted/unpublished phone number. Today very few people are willing to pay actual money for privacy.
If you can identify a person in a country where WA shouldn't be available by sniffing out their profile, it may even end up being a deadly security vulnerability, but I don't blame someone on a tech bro forum for making a edgy comment, it's all in the game.
In a kinetic warfare or authoritarian context, this is rather a life safety vulnerability. In the industry, we call this the crossover from Information Security (InfoSec) to Operational Security (OpSec), where a digital flaw becomes a Kinetic Threat.
Right, but if a country being at war or in a authoritarian regime is a precondition for the vulnerability to pose a threat, it's not really a scenario that would warrant a high scoring in some vulnerability scoring system. For sure it's a weakness and would score higher if the purpose of the technology were military.
But since this is a civilian application and not military, it doesn't seem sensible to rate vulnerabilities according to military use. The intended scope of the application makes a huge difference legally and operationally and should be triaged accordingly.
The vulnerability here is that the contact discovery endpoint could be abused to enumerate all WhatsApp users en-masse.
It's still quite possible to discover a single or small set of existing WhatsApp users based on their phone number. So in your scenario the risk still exists, it's just more work to enumerate everyone. Everyone should still assume their phone number can be linked to their WhatsApp account.
>Everyone should still assume their phone number can be linked to their WhatsApp account.
But this has always been the case, the phone numbers are public, and phone numbers are the public key to whatsapp accounts.
Also you always could check a specific number to see if it is a whatsapp user. It is certainly an issue if a single actor can query 500 million users in a matter of minutes, and there seems to be some additional information per account like what device they are in. But these seem relatively minor.
we agree. Just pointing out to the parent commenter that in their scenario the risk hasn't fundamentally changed. Just before the vuln was fixed it was a bit easier.
To create a whatsapp acccount, you need to authenticate with sms first. If the country is that strict around whatsapp, this alone would bring you trouble.
> If you can identify a person in a country where WA shouldn't be available by sniffing out their profile, it may even end up being a deadly security vulnerability,
What are you talking about? Like what is even the mechanism for your concern?
This is an open endpoint / not a part of the design that is intended to be confidential. If you suspected any particular individual you could always check if their phone number had a WA account.
Is it edgy? I find it somewhat nuanced and sensible. What is a bit proper of pseudoanonymous tech bro forums is people larping as military grade security analysts in a forum because they are unable to live out that dream in an actual scenario where they have any power on.
If the application is actively distributed in a country and their usage is permitted by their Terms of Service, then yes Whatsapp is liable for the security of their users in that context. If however the application is not actively distributed in that country, and there are active measures like geolocalization (and asking the user what country they are from during signup) to avoid serving such countries, then usage in those countries is outside the scope of Whatsapp.
Furthermore Whatsapp is a civilian app and is not designed or guaranteed for military usage, it's outside the scope of whatsapp.
Can the technique be used as one tool of many (including a bullet) in order to kill someone? Yes, is this a deadly security vulnerability? No, of course not, that's reaching, I'm not sure what would compel these exaggerations, maybe the larping, maybe its a general hatred towards whatsapp and you just jump on any opportunity to release your pent up anger.
It's worth noting that there's a gap between the security capabilities of whatsapp and the security capabilities they are legally required to have. Whatsapp will no doubt patch this small issue and keep that gap, but WA as it stands is one of the most secure and widely used applications in the world, has had an almost impollute historical record which is why billions of users trust the application with personal and professional secrets.
P.S: Also, you always could find out if a phone number is a whatsapp user individually, just add them on whatsapp and try to message them.
Wow so much unrelated drama combined with pretty interesting advertisement.
Do you work for Meta?
People don't use WhatsApp because it's so secure. In certain countries people started using it because it was the first app that was cheaper than SMS and now they use it because everybody else is still using it. There is no other significant reason.
They have a history of security issues going back to 2011 when you could take over other peoples account. Today is just the last story of this ugly and leaking brother to Signal. The actually "most secure" app out there.
I get this is snarky and it being HN I'll now collect my downvotes, but really, I can't not hear Whatsapp without also thinking Facebook; the entire product may as well be a security vuln
Funny timing, we just published an RFC on a contact-matching scheme that's intended to be resilient to this kind of enumeration attack at the cost of reduced discovery. We're soliciting feedback so now's a good time to share the link - https://docs.bsky.app/blog/contact-import-rfc
I was peripherally looking into this for a similar problem domain: https://en.wikipedia.org/wiki/Private_set_intersection
Related to Zero Knowledge Proofs, the advantage is that phone numbers need never be shared in cleartext, preempting whole classes of attacks. However, could be overkill for your needs, and I am not sure how well current techniques would scale.
Ah its great you bring this up, it's timely as my app is adding contacts syncing soon and I want to do it in a secure/private way. If you choose to go ahead with this, are there any plans to make it open source? ty!
The RFC addresses security, but does not mention anything about privacy. I think the scheme ultimately boils down to trusting the server/instance.
It would be great if users don't have to share the actual number with the server, a hash or something like that but that would make it impossible to verify the number and verification is required to prevent spoofing.
Another way maybe is to have a trusted 3rd party (something like EFF, LetsEncrypt) that can be used by users to validate their numbers and applications can get the hashes from there.
phone numbers aren’t unique enough for hashes, a lookup table would not be that much effort
Ok, let’s not have the is Bluesky decentralised discussion again. Kudos to Bluesky’s PR efforts to use complex technology to basically sell themselves as whatever people want to hear (like NFTs but social media). There are a number of X/Threads clones out there, but I’d take a group chat on some relatively secure messaging platform over “social media” any day. Even better if it’s something I can self host or join into one from many servers (remember IRC? Good times).
We really need to rethink this “one corp owns all the keys and all servers” setup.
> Even threads can connect to BlueSky
I thought Threads only interoperates with Mastodon/the fediverse in some limited capacity. Did I miss some Bluesky integration announcement?
so matrix? (which has it's own issues, but will hopefully overcome them eventually)
Yup
> highlights the risks associated with the centralization of instant messaging services
Any cervices, really
From the article:
> Nearly half of all phone numbers that appeared in the 2021 Facebook data leak of 500 million phone numbers (caused by a scraping incident in 2018) were still active on WhatsApp. This highlights the enduring risks for leaked numbers (e.g., being targeted in scam calls) associated with such exposures.
Fascinating to me as this seems to imply that a phone number has a half-life of about 4-5 years (unless the fact of the leak persuaded a significant number of people to change their number, which I suppose is unlikely?)
> highlights the risks associated with the centralization of instant messaging services
That seems to be the takeaway.
Centralization of just about anything is an issue, not just messaging.
However, users still want/need the kinds of advantages that we get from monopolies/centralization, and implementing them in distributed systems is really hard.
https://simplex.chat/ Seems to take security and decentralization pretty far while keeping it convenient enough.
I wonder if there was ever a path for solving this early, like, we made email and that proliferated, if only we'd landed on better identity management first, would we be in some digital messaging utopia.
Would the world be better if we'd been saying "whats your public key?" instead of "whats your email?" in the 90s?
Maybe, but, in practice, email has been basically centralized too. For most people, it's just too convenient to get a gmail account for free, and forget about any maintenance headache.
But that only started when gmail launched with a deal that was too good to refuse (a mailbox that was huge for the time, and grew bigger over time). Before that most people just used the free email account they got from their ISP. That also comes without maintenance headache for the user and is at least somewhat less centralized
The public keys won't be stable as we would need to rotate them. We need both a stable identity and a proof of that identity. Security is not very user friendly and would have made the digital tech even more fringe. One of the reasons email and web took off was its comparative ease of use.
For messaging i think early skype had it sorted more or less , decentralised - widely used and intuitive identity. If it had been allowed to evolve identity maybe like email(matrix or even bsky) got federated with custom servers/identities and handles that could still interoperate, would be nice. Instead MS bought it and ran it into the ground.
I think tech companies would've eventually attempted to build some walls around that and monetise it. Regardless of technology, the challenge is someone wants to "take this to the next level" - as long as it's investor driven, it remains "open" only as long as that brings more money or community good will
I wonder what happened to Mozilla Persona.
That was super nice.
just read the matrix thread on hn homepage.
yeah
I have more confidence in Meta than the government.
I mean this as expression of technical feasibility and capability to achieve risk reduction with technical measures in an adequate amount of time.
Remember, that for the rest of the non-technical units out there the “digitization” and “IT implementation projects” fail on a massive scale.
Shit in shit out.
Whatever we trash FAANG for, any government has way more blowout.
You trust it more than your government. Which stands to reason at the moment if you are in the US. But there are competent, more trustworthy governments in other parts of the world. And other companies people might trust more than Meta.
Decentralization allows people to choose who they trust. Or rather requires them to really
> You trust it more than your government. Which stands to reason at the moment if you are in the US.
No, it really doesn't, and not because I have any faith in the current US government, just because I've seen the way Meta relates to it.
Specifically, the endpoint allowed asking if a given phone number had a whatsapp account. Scaled up to ~all phone numbers. That doesn't seem like a major vulnerability.
I’ve been receiving lots of SMS lately claiming to come from “WatApp”, “whtas app” and similar instead of a phone number.
I assume it can be related to this leak? Knowing someone uses a service can increase the effectiveness of targeted phishing.
Interestingly it’s harder to block these senders that do not advertise a number on sms.
It's a feature for many of us, it is for me, cause when I input a new phone number in my contacts (like let's say a plumber's phone number I found on the internet) I first go to WhatsApp to check if they've got a profile there, in which case I contact them directly using WhatsApp, not via voice-call/SMS.
this is just... enumeration of phone numbers? how is this a 'security vulnerability'? an issue maybe, but it's not a vulnerability as that implies faulty code; this is a documented feature.
A complete lack of rate limiting at a privacy-sensitive endpoint is arguably a fault.
I agree with this, but not the rest. It is not a security vulnerability, and I am not sure it being a privacy-sensitive endpoint either. Like someone pointed out, if you check one of your contacts and they have WhatsApp, you can tell, and you can message them from there. This is a feature.
I agree that there should be rate limiting of some sort.
Scale matters a lot for privacy.
For example, while everybody can physically go to your house and look at it from the street, somebody setting a webcam up and pointing it at the same house from the same vantage point would be a very different story and is illegal in many jurisdictions as a result.
If Whatsapp is banned in the country and you could get sent to jail for using it, I'd want the fact that I'm using Whatsapp to be kept private.
100M per hour... it's quite ridiculous no ?
just read the pre-print paper.
they claim to have achieved a rate of 7,000/s, which is roughly 25M/h
i do agree that is an absurd amount, especially when paired with the lack of rate limiting as discussed in their paper.
> "[...] Moreover, we did not experience any prohibitive rate-limiting. With our query rate of 7,000 phone numbers per second (and session), we could confirm 3.5 B phone numbers registered on WhatsApp [...]"
prior to my initial comment, i was under the impression they had encountered ratelimiting and bypassed it, it appears this initial assumption was incorrect.
i agree that it is ridiculous, though i faulter on calling it a vulnerability as in my eyes that term is specifically for unintended side affects / exploitation.
> i was under the impression they had encountered ratelimiting and bypassed it
Wouldn't that be the exact same privacy problem in effect? What's the practical difference between ineffective and no rate limiting?
ehh, not really.
assuming a reasonable ratelimit, say 100 lookups per day (maybe some exceptions if the lookup results in an account that already has you in contacts, idk) - this would significantly reduce the amount of scraping that can be done.
contact lookup is a required function of whatsapp, the issue this paper highlights is that there is no protection against mass scraping
One of the most regrettable things. Humans should have had the most popular private chat application. But the figure of 19 billion USD in 2014 blinded Brian Acton. What he does with Signal now can never compensate for the trust of billions of users being sold to Mark Zuckerberg.
Isn't this very similar to the 2020 paper that covered WhatsApp, Telegram and Signal? https://encrypto.de/news/contact-discovery
What concerns me is that only thing stopping someone from enumerating the entire set of all possible phone numbers is effective server-side rate limiting. What are the current rate limits for each messenger, and are they sufficient? (per this paper, probably not)
I once participated in some work like this, https://en.wikipedia.org/wiki/List_of_mobile_telephone_prefi... was super helpful. I couldn't find a link to libphonegen that they were referencing.
This is not a security vulnerability, it’s been documented in the user interface for years. That’s why I have no profile picture and no status. You clearly opt into “everyone” viewing it, and it’s obvious this it is literally anyone, because when you add a new contact, you simply enter their phone number and can see their profile picture and status. It doesn’t take a leap of imagination to enumerate that for the space of valid phone numbers.
There is a way to show profile pictures to only contacts. It's a setting.
Yes, and those people didn't get their profile pictures exposed through this phone number enumeration. If they had, then maybe it would have qualified as a security breach.
> Yes, and those people didn't get their profile pictures exposed through this phone number enumeration.
They did and this was not enumeration, did you read post?
The post with the headline “Worldwide enumeration of accounts was possible?”
OK... but it's not phone number enumeration. You need to give it a phone number to check if whatsapp acc is registered for it. So you need to have a collection of phone numbers first. If you have a collection of all phone numebrs in the world then you could enumerate whatsapp accounts.
And yes the pictures were leaked in the process.
A bit disappointing, I thought everybody knew it was possible to "enumerate" Whatsapp accounts? I was hoping for something more juicy like RCE...
The lack of rate limiting was surprising.
Yes, indeed, I wouldn't have expected to be possible to enumerate all of them in a short time from a single IP.
The most interesting vulnerability is the reuse of cryptographic keys, some of it apparently by design, like when transferring one's account to a new number - this can apparently be used to correlate identities despite the change of phone number.
Also, from examining the published data set I found it interesting that there are only five WhatsApp users registered in North Korea. I wonder who they are.
I'm almost 100% sure that one of them is the only North Korean Steam user.
I hope nobody tells Kim there are another four users. I'm not sure their prison system can handle anymore, pretty well booked up last I heard.
If anything, the other four are likely to also be Kims.
I’ve actually thought of doing this myself, but there isn’t really much value in enumerating active phone numbers. Lest you run a full scale scam operation cold calling people to phish for their banking info.
My entire PII is already leaked elsewhere in other breaches.
I can't imagine the scrutiny you must face when your product becomes so mainstream that researchers literally work on identifying security vulnerabilities.
The only fix to this is to replace phone numbers by secret 256 bit keys that are never reused...
Never gonna happen.
WhatsApp has avoided the pressure of E2EE backdoors and whatever politics because they were never needed.
1. They collect all the metadata in unencrypted format and link it to phone numbers, making a huge social graph.
2. Backups are not encrypted by default and enabling of them is pushed. So the messages were never actually encrypted for most people and police can get messages without the actual phone.
3. iCloud E2EE backup fight in UK was mostly because of 2. as people started to opt-in for encryption.
>3. iCloud E2EE backup fight in UK was mostly because of 2. as people started to opt-in for encryption.
That doesn't make any sense. Why did uk want to start a fight over icloud E2EE backups (opt-in) but not whatsapp E2EE backups (opt-in)?
> That doesn't make any sense. Why did uk want to start a fight over icloud E2EE backups (opt-in) but not whatsapp E2EE backups (opt-in)?
Default iCloud backup always included WhatsApp too, even if it was disabled in the app or the app used encrypted backups. And many other things, so it was not only about WhatsApp. Even for WhatsApp alone, it was slightly more useful.
Phone numbers were never supposed to be secret.
Nor were social security numbers.
We used to put phone numbers and addresses in printed books and give them to everyone.
I remember looking in a 1930's phone book for Zurich, and it even mentions the person's job (I guess for significant jobs like company owner)...
Norway still publishes everyone's tax returns.
Phone numbers are treated as permanent even though they’re ephemeral. So here we are.
That’s not gonna happen because the whole idea is to link your real identity to the digital one, which is why you should never trust any company that refuses to give you an alternative option to the phone number.
But it's to combat spam, we swear! Because of course there is no spam in whatsapp!
Is phone number enumeration now considered a vulnerability? Really?
I know, remember when the telco's just published those in books every year?
But you had the option of having an unlisted or unpublished phone number. To give one datapoint, in Los Angeles in the 1980s about half of all numbers were unlisted. I would expect that the unlisted rate was much higher in big cities like L.A. compared to the rest of the country.
What I find fascinating is that people paid for privacy. Yes, indeed, people paid several dollars extra per month to maintain an unlisted/unpublished phone number. Today very few people are willing to pay actual money for privacy.
Very good point.
Everyone I knew while growing up was in the white pages (parents) with home address, not just phone number.
The early “FreeNet” and ISPs like Compuserve used anonymous usernames. Personalized email addresses came later…
Oddly, because we can’t even pay for privacy today, it appears as if nobody cares. Sure, still desirable but not even an option at any cost.
How we got from there to here is troubling.
funny thing is, there's probably a decent percentage of people here that don't remember this
Sarah Connor?
Did they discover it’s not e2e?
lol
"security vulnerability" ....
Security vulnerability is a bit strong, but I don't blame news salesmen for making clickbait, it's all in the game
If you can identify a person in a country where WA shouldn't be available by sniffing out their profile, it may even end up being a deadly security vulnerability, but I don't blame someone on a tech bro forum for making a edgy comment, it's all in the game.
In a kinetic warfare or authoritarian context, this is rather a life safety vulnerability. In the industry, we call this the crossover from Information Security (InfoSec) to Operational Security (OpSec), where a digital flaw becomes a Kinetic Threat.
Right, but if a country being at war or in a authoritarian regime is a precondition for the vulnerability to pose a threat, it's not really a scenario that would warrant a high scoring in some vulnerability scoring system. For sure it's a weakness and would score higher if the purpose of the technology were military.
But since this is a civilian application and not military, it doesn't seem sensible to rate vulnerabilities according to military use. The intended scope of the application makes a huge difference legally and operationally and should be triaged accordingly.
The vulnerability here is that the contact discovery endpoint could be abused to enumerate all WhatsApp users en-masse.
It's still quite possible to discover a single or small set of existing WhatsApp users based on their phone number. So in your scenario the risk still exists, it's just more work to enumerate everyone. Everyone should still assume their phone number can be linked to their WhatsApp account.
>Everyone should still assume their phone number can be linked to their WhatsApp account.
But this has always been the case, the phone numbers are public, and phone numbers are the public key to whatsapp accounts.
Also you always could check a specific number to see if it is a whatsapp user. It is certainly an issue if a single actor can query 500 million users in a matter of minutes, and there seems to be some additional information per account like what device they are in. But these seem relatively minor.
we agree. Just pointing out to the parent commenter that in their scenario the risk hasn't fundamentally changed. Just before the vuln was fixed it was a bit easier.
To create a whatsapp acccount, you need to authenticate with sms first. If the country is that strict around whatsapp, this alone would bring you trouble.
> If you can identify a person in a country where WA shouldn't be available by sniffing out their profile, it may even end up being a deadly security vulnerability,
What are you talking about? Like what is even the mechanism for your concern?
This is an open endpoint / not a part of the design that is intended to be confidential. If you suspected any particular individual you could always check if their phone number had a WA account.
Is it edgy? I find it somewhat nuanced and sensible. What is a bit proper of pseudoanonymous tech bro forums is people larping as military grade security analysts in a forum because they are unable to live out that dream in an actual scenario where they have any power on.
If the application is actively distributed in a country and their usage is permitted by their Terms of Service, then yes Whatsapp is liable for the security of their users in that context. If however the application is not actively distributed in that country, and there are active measures like geolocalization (and asking the user what country they are from during signup) to avoid serving such countries, then usage in those countries is outside the scope of Whatsapp.
Furthermore Whatsapp is a civilian app and is not designed or guaranteed for military usage, it's outside the scope of whatsapp.
Can the technique be used as one tool of many (including a bullet) in order to kill someone? Yes, is this a deadly security vulnerability? No, of course not, that's reaching, I'm not sure what would compel these exaggerations, maybe the larping, maybe its a general hatred towards whatsapp and you just jump on any opportunity to release your pent up anger.
It's worth noting that there's a gap between the security capabilities of whatsapp and the security capabilities they are legally required to have. Whatsapp will no doubt patch this small issue and keep that gap, but WA as it stands is one of the most secure and widely used applications in the world, has had an almost impollute historical record which is why billions of users trust the application with personal and professional secrets.
P.S: Also, you always could find out if a phone number is a whatsapp user individually, just add them on whatsapp and try to message them.
Wow so much unrelated drama combined with pretty interesting advertisement.
Do you work for Meta?
People don't use WhatsApp because it's so secure. In certain countries people started using it because it was the first app that was cheaper than SMS and now they use it because everybody else is still using it. There is no other significant reason.
They have a history of security issues going back to 2011 when you could take over other peoples account. Today is just the last story of this ugly and leaking brother to Signal. The actually "most secure" app out there.
The security vuln is that it's owned by a bad faith actor
https://news.ycombinator.com/item?id=1692122
https://news.ycombinator.com/item?id=25662215
I get this is snarky and it being HN I'll now collect my downvotes, but really, I can't not hear Whatsapp without also thinking Facebook; the entire product may as well be a security vuln
SimpleX is the way.