Simple Security Flaw Exposed All WhatsApp Accounts to Enumeration Attack

Researchers in Vienna have demonstrated that the WhatsApp “Contact Discovery” feature has been vulnerable to straightforward phone number enumeration for some time. The security flaw was responsibly disclosed and has since been addressed, but was likely available for years and impacts all WhatsApp accounts.

Exposure of WhatsApp accounts included some profile pictures and text

The security flaw impacted all WhatsApp accounts globally, but individual security settings determined the amount of exposure. While the platform’s encrypted messages were in no danger, profile pictures and text could be exposed if security settings allowed for it. The researchers say that 57% of profiles had a picture exposed, and 29% had profile text exposed. Of the pictures that were exposed, about two-thirds were recognizable human faces.

WhatsApp owner Meta responded to the report by issuing statements indicating that it has since implemented better rate limiting technology that sews up the security flaw, and that only “publicly available” information was exposed. But the researchers say that they disclosed the issue via Meta’s bug bounty program in April of this year, and could not get a meeting with representatives of the company until they provided a pre-print of the paper and indicated they were imminently about to publish. Meta also did not implement the rate limiting changes until October.

While the researchers came up with a novel technique for exploiting the security flaw, capable of checking 7,000 phone numbers per second, theoretical attacks of this nature have been floating around for over a decade now. A smaller approach of this type was first developed by researchers in 2012, and then in 2017 a Dutch researcher published a theoretical attack that was quite similar to this one. These same researchers also successfully executed another approach in 2019, followed by another research team in 2020.

WhatsApp security flaw could be present on other platforms

The exposure of WhatsApp accounts is particularly noteworthy as it is now the world’s largest messaging platform, with its estimated 3.5 billion total global users and 150 billion messages passed per day. But other platforms that make similar use of address books to automatically add contacts may be vulnerable to the same sort of security flaw.

Meta has implied the issue is not that serious as the only information that can be scraped is available on profiles that have been made public. However, the researchers point out that this is not the full scope of potential damage. Simply verifying working and active phone numbers is valuable to scammers and hackers, and vaults these targets to the top of their list. An even bigger danger is the exposure of targets of government persecution in authoritarian regimes that have banned WhatsApp from their nations.

Though these address book features are voluntary and present obvious security concerns, they are also popular. WhatsApp has cited the feature as one of the keys to its explosive growth. But it is very hard to make this work while also implementing appropriate security. The one functional way to do it is rate limiting; if even WhatsApp was this slow to address it properly, the feature should be heavily scrutinized for similar security flaws when present in any other services.