A security flaw in WhatsApp has exposed the phone numbers, profile photos, and user details of 3.5 billion users worldwide. Researchers from the University of Vienna uncovered this massive data leak by exploiting WhatsApp’s contact discovery tool.
The contact discovery tool, designed to quickly add new contacts, became a gateway for extracting vast amounts of personal information. By systematically checking every possible phone number, the researchers were able to access a significant portion of WhatsApp’s global user base. This flaw allowed them to retrieve phone numbers, profile photos, and profile text for a substantial fraction of WhatsApp users.
Despite a prior warning in 2017 about this vulnerability, WhatsApp’s parent company, Meta, did not impose limits on the number or speed of contact discovery requests. This oversight enabled the researchers to extract data at an alarming rate, potentially leading to what could have been the largest data leak in history.
The researchers responsibly disclosed their findings to Meta in April, prompting the company to address the issue. By October, Meta had rectified the security flaw, preventing further exploitation of user data.
Source: WIRED