Researchers discover security vulnerability in WhatsApp

Posted by KingNoLimit 5 hours ago

Researchers discover security vulnerability in WhatsApp(www.univie.ac.at)

138 points | 43 comments

pfraze 2 hours ago|

Funny timing, we just published an RFC on a contact-matching scheme that's intended to be resilient to this kind of enumeration attack at the cost of reduced discovery. We're soliciting feedback so now's a good time to share the link - https://docs.bsky.app/blog/contact-import-rfc

GlacierFox 1 hour ago||

[flagged]

pfraze 1 hour ago||

It's a retirement home for elder millennials who just happen to be insane. Not the same thing.

fsckboy 2 hours ago||

is this really needed? I already have an effective mechanism for not discovering anybody on bluesky.

pfraze 1 hour ago||

solid burn

ChrisMarshallNY 8 minutes ago||

> highlights the risks associated with the centralization of instant messaging services

That seems to be the takeaway.

Centralization of just about anything is an issue, not just messaging.

However, users still want/need the kinds of advantages that we get from monopolies/centralization, and implementing them in distributed systems is really hard.

loeg 1 hour ago||

Specifically, the endpoint allowed asking if a given phone number had a whatsapp account. Scaled up to ~all phone numbers. That doesn't seem like a major vulnerability.

bfkwlfkjf 1 hour ago||

We are here because a overwhelming majority of people accept to subject themselves to freedom-oppressing software. If a significant number of people rejected it, that would lower the burden for the rest to also reject it.

Stallman was right.

Stallman was right, but some times I think this is bigger than just software. This is about power, and software is just one of many tools. Stallman was right, but I wonder if his ideas would have resonated more widely if they had been framed in terms of power.

GlacierFox 1 hour ago|

State an open source alternative so I can explain to you why the masses think it's crap.

flexagoon 1 hour ago|||

While I agree a lot of open source messenger services have terrible UX, I don't think "the masses" care about it that much. What matters is what everyone else is using. People are using Snapchat or Instagram Messenger and I haven't seen a single person who likes the UX of those services - they just use it and put up with hatred for it because that's what all their friends use.

bfkwlfkjf 1 hour ago|||

Open source has nothing to do with this conversation.

entropoem 40 minutes ago||

One of the most regrettable things. Humans should have had the most popular private chat application. But the figure of 19 billion USD in 2014 blinded Brian Acton. What he does with Signal now can never compensate for the trust of billions of users being sold to Mark Zuckerberg.

InfoSecErik 3 hours ago||

I once participated in some work like this, https://en.wikipedia.org/wiki/List_of_mobile_telephone_prefi... was super helpful. I couldn't find a link to libphonegen that they were referencing.

ale42 4 hours ago||

A bit disappointing, I thought everybody knew it was possible to "enumerate" Whatsapp accounts? I was hoping for something more juicy like RCE...

0cf8612b2e1e 2 hours ago||

The lack of rate limiting was surprising.

ruinin 4 hours ago||

The most interesting vulnerability is the reuse of cryptographic keys, some of it apparently by design, like when transferring one's account to a new number - this can apparently be used to correlate identities despite the change of phone number.

Also, from examining the published data set I found it interesting that there are only five WhatsApp users registered in North Korea. I wonder who they are.

SweetSoftPillow 4 hours ago|||

I'm almost 100% sure that one of them is the only North Korean Steam user.

jeingham 2 hours ago|||

I hope nobody tells Kim there are another four users. I'm not sure their prison system can handle anymore, pretty well booked up last I heard.

chatmasta 46 minutes ago||

This is not a security vulnerability, it’s been documented in the user interface for years. That’s why I have no profile picture and no status. You clearly opt into “everyone” viewing it, and it’s obvious this it is literally anyone, because when you add a new contact, you simply enter their phone number and can see their profile picture and status. It doesn’t take a leap of imagination to enumerate that for the space of valid phone numbers.

zgk7iqea 3 hours ago|

Is phone number enumeration now considered a vulnerability? Really?

hekkle 1 hour ago|

I know, remember when the telco's just published those in books every year?

dylan604 1 hour ago|||

funny thing is, there's probably a decent percentage of people here that don't remember this

austinjp 1 hour ago|||

Sarah Connor?

More comments...