A important data vulnerability has been discovered in WhatsApp, potentially exposing the phone numbers of approximately 3.5 billion users worldwide. Ethical hackers identified a flaw allowing for the mass collection of phone numbers through the platform’s search functionality, raising concerns about potential privacy breaches and misuse of personal data. While discovered through responsible disclosure as part of Meta’s bug bounty program-which has awarded over $25 million to researchers-the scale of this potential leak underscores ongoing challenges in protecting user information on widely-used messaging applications.
A security flaw in WhatsApp has exposed the potential for the leak of approximately 3.5 billion phone numbers, according to ethical hackers who recently uncovered the vulnerability.
Security researchers have revealed a significant data leak affecting the popular messaging platform, WhatsApp. The researchers discovered a weakness in the app’s code that allowed them to extract roughly 3.5 billion phone numbers. If exploited maliciously, this breach could become one of the largest data leaks in history, according to the Austrian research.
The Vulnerability
Table of Contents
WhatsApp allows users to easily search for information about others simply by entering a phone number. When a number is entered, the platform indicates whether that number is registered on WhatsApp, and if so, displays the user’s name, profile picture, and status. This feature, while convenient, presents a potential security risk when misused. The researchers leveraged this functionality to gather data, developing a tool capable of processing over 100 million accounts per hour by inputting 63 billion phone numbers.
lees ook
Lekken in Microsoft Teams lieten hackers toe zich voor te doen als collega’s
Surprisingly, the researchers found that neither their IP addresses nor their accounts were blocked by WhatsApp during the extensive testing. Furthermore, they encountered no rate limiting, allowing them to query at a rate of 7,000 phone numbers per second. “To our astonishment, neither our IP address nor our accounts were blocked by WhatsApp. Moreover, we did not encounter any rate limiting. With our query speed of 7,000 phone numbers per second, we were able to confirm 3.5 billion phone numbers registered on WhatsApp,” the researchers stated.
lees ook
183 miljoen mailadressen gelekt: Google ontkent hack op Gmail
Typically, platforms implement rate limiting to prevent such large-scale data collection, but WhatsApp currently lacks this safeguard. This allowed the researchers to freely input billions of phone numbers without restriction. The incident underscores the importance of robust data protection measures in widely used communication apps.
Ethical Hacking and Meta’s Bug Bounty Program
The researchers engaged in ethical hacking, a practice that helps companies identify and address security vulnerabilities. This isn’t the first time Meta has been the target of ethical hacking efforts. Meta rewards these security researchers, having paid out approximately $4 million this year alone for details of vulnerabilities in WhatsApp and other platforms. Forbes reports that Meta has awarded over $25 million to 1,400 researchers from 88 countries over the years through its bug bounty program.
