Posted by KingNoLimit 11/19/2025
Related to Zero Knowledge Proofs, the advantage is that phone numbers need never be shared in cleartext, preempting whole classes of attacks. However, could be overkill for your needs, and I am not sure how well current techniques would scale.
It would be great if users don't have to share the actual number with the server, a hash or something like that but that would make it impossible to verify the number and verification is required to prevent spoofing.
Another way maybe is to have a trusted 3rd party (something like EFF, LetsEncrypt) that can be used by users to validate their numbers and applications can get the hashes from there.
We really need to rethink this “one corp owns all the keys and all servers” setup.
> Even better if it’s something I can self host or join into one from many servers (remember IRC? Good times).
I thought Threads only interoperates with Mastodon/the fediverse in some limited capacity. Did I miss some Bluesky integration announcement?
> That's opt-in
> highlights the risks associated with the centralization of instant messaging services
Any cervices, really
That seems to be the takeaway.
Centralization of just about anything is an issue, not just messaging.
However, users still want/need the kinds of advantages that we get from monopolies/centralization, and implementing them in distributed systems is really hard.
Would the world be better if we'd been saying "whats your public key?" instead of "whats your email?" in the 90s?
That was super nice.
I mean this as expression of technical feasibility and capability to achieve risk reduction with technical measures in an adequate amount of time.
Remember, that for the rest of the non-technical units out there the “digitization” and “IT implementation projects” fail on a massive scale.
Shit in shit out.
Whatever we trash FAANG for, any government has way more blowout.
Decentralization allows people to choose who they trust. Or rather requires them to really
No, it really doesn't, and not because I have any faith in the current US government, just because I've seen the way Meta relates to it.
yeah
I've never understood this idea that phone numbers shouldn't be protected the same as email addresses or other personal information.
Email, of course, has an unlimited number of possible addresses. Phone numbers are a dense space with limited parameter length. So it is easier to enumerate all phone numbers.
I assume it can be related to this leak? Knowing someone uses a service can increase the effectiveness of targeted phishing.
Interestingly it’s harder to block these senders that do not advertise a number on sms.
> Nearly half of all phone numbers that appeared in the 2021 Facebook data leak of 500 million phone numbers (caused by a scraping incident in 2018) were still active on WhatsApp. This highlights the enduring risks for leaked numbers (e.g., being targeted in scam calls) associated with such exposures.
Fascinating to me as this seems to imply that a phone number has a half-life of about 4-5 years (unless the fact of the leak persuaded a significant number of people to change their number, which I suppose is unlikely?)
I imagine that for some, it also contributes to a sense of identity, much the same way that a mailing address might.
Where do you live, and why do cell phone numbers cycle so quickly?
Since facebook didn't rate limit the researchers (or anyone else) it allowed them to collect a big dataset of publicly avilable information, so shame on facebook (as if they had any), but it's not like people's secret/private data was exposed. Nobody should be upset that the photo they uploaded and put on the internet as their public profile picture gets seen by somebody else. People who don't want their "sexual orientation, political views, drug use" or whatever known shouldn't put that in their profile where anyone and everyone can see it.
I agree that there should be rate limiting of some sort.
For example, while everybody can physically go to your house and look at it from the street, somebody setting a webcam up and pointing it at the same house from the same vantage point would be a very different story and is illegal in many jurisdictions as a result.
There are many alternatives to WhatsApp, you may want to try them. Briar, Ricochet Refresh, Session, Matrix (Element), Jabber (with OMEMO and whatnot), among many others.
What is this was not WhatsApp, but it was a website or service dedicated to something unethical or illegal or just extremely embarrassing? Something that could ruin a marriage or career if it was known someone was a registered user? Would it be OK if someone could punch in phone numbers to find out who is registered on these sites?
What if someone automated and correlated this information to produce a profile for a phone number of all the shady/embarrassing services that phone number is associated with?
they claim to have achieved a rate of 7,000/s, which is roughly 25M/h
i do agree that is an absurd amount, especially when paired with the lack of rate limiting as discussed in their paper.
> "[...] Moreover, we did not experience any prohibitive rate-limiting. With our query rate of 7,000 phone numbers per second (and session), we could confirm 3.5 B phone numbers registered on WhatsApp [...]"
prior to my initial comment, i was under the impression they had encountered ratelimiting and bypassed it, it appears this initial assumption was incorrect.
i agree that it is ridiculous, though i faulter on calling it a vulnerability as in my eyes that term is specifically for unintended side affects / exploitation.
Wouldn't that be the exact same privacy problem in effect? What's the practical difference between ineffective and no rate limiting?
assuming a reasonable ratelimit, say 100 lookups per day (maybe some exceptions if the lookup results in an account that already has you in contacts, idk) - this would significantly reduce the amount of scraping that can be done.
contact lookup is a required function of whatsapp, the issue this paper highlights is that there is no protection against mass scraping
What concerns me is that only thing stopping someone from enumerating the entire set of all possible phone numbers is effective server-side rate limiting. What are the current rate limits for each messenger, and are they sufficient? (per this paper, probably not)
Currently I'm waiting to hear from Whatsapp support and/or the 7 day waiting time to be over to reset my account. It is bizarre that I am not able to recover my account when I still own my phone number (I can still receive SMS on it).
I would consider myself very cautious about clicking suspicious links, of course one can never be 100% sure. This was very disconcerting.
As a reminder for all Whatsapp users, please set up your 2FA PINs and recovery emails.