Posted by KingNoLimit 7 hours ago
Never gonna happen.
1. They collect all the metadata in unencrypted format and link it to phone numbers, making a huge social graph.
2. Backups are not encrypted by default and enabling of them is pushed. So the messages were never actually encrypted for most people and police can get messages without the actual phone.
3. iCloud E2EE backup fight in UK was mostly because of 2. as people started to opt-in for encryption.
That doesn't make any sense. Why did uk want to start a fight over icloud E2EE backups (opt-in) but not whatsapp E2EE backups (opt-in)?
Default iCloud backup always included WhatsApp too, even if it was disabled in the app or the app used encrypted backups. And many other things, so it was not only about WhatsApp. Even for WhatsApp alone, it was slightly more useful.
Nor were social security numbers.
https://news.ycombinator.com/item?id=1692122
https://news.ycombinator.com/item?id=25662215
I get this is snarky and it being HN I'll now collect my downvotes, but really, I can't not hear Whatsapp without also thinking Facebook; the entire product may as well be a security vuln
It's still quite possible to discover a single or small set of existing WhatsApp users based on their phone number. So in your scenario the risk still exists, it's just more work to enumerate everyone. Everyone should still assume their phone number can be linked to their WhatsApp account.
But this has always been the case, the phone numbers are public, and phone numbers are the public key to whatsapp accounts.
Also you always could check a specific number to see if it is a whatsapp user. It is certainly an issue if a single actor can query 500 million users in a matter of minutes, and there seems to be some additional information per account like what device they are in. But these seem relatively minor.
But since this is a civilian application and not military, it doesn't seem sensible to rate vulnerabilities according to military use. The intended scope of the application makes a huge difference legally and operationally and should be triaged accordingly.
What are you talking about? Like what is even the mechanism for your concern?
This is an open endpoint / not a part of the design that is intended to be confidential. If you suspected any particular individual you could always check if their phone number had a WA account.
If the application is actively distributed in a country and their usage is permitted by their Terms of Service, then yes Whatsapp is liable for the security of their users in that context. If however the application is not actively distributed in that country, and there are active measures like geolocalization (and asking the user what country they are from during signup) to avoid serving such countries, then usage in those countries is outside the scope of Whatsapp.
Furthermore Whatsapp is a civilian app and is not designed or guaranteed for military usage, it's outside the scope of whatsapp.
Can the technique be used as one tool of many (including a bullet) in order to kill someone? Yes, is this a deadly security vulnerability? No, of course not, that's reaching, I'm not sure what would compel these exaggerations, maybe the larping, maybe its a general hatred towards whatsapp and you just jump on any opportunity to release your pent up anger.
It's worth noting that there's a gap between the security capabilities of whatsapp and the security capabilities they are legally required to have. Whatsapp will no doubt patch this small issue and keep that gap, but WA as it stands is one of the most secure and widely used applications in the world, has had an almost impollute historical record which is why billions of users trust the application with personal and professional secrets.
P.S: Also, you always could find out if a phone number is a whatsapp user individually, just add them on whatsapp and try to message them.