- Funny timing, we just published an RFC on a contact-matching scheme that's intended to be resilient to this kind of enumeration attack at the cost of reduced discovery. We're soliciting feedback so now's a good time to share the link - https://docs.bsky.app/blog/contact-import-rfc
by esquivalience
1 subcomments
- From the article:
> Nearly half of all phone numbers that appeared in the 2021 Facebook data leak of 500 million phone numbers (caused by a scraping incident in 2018) were still active on WhatsApp. This highlights the enduring risks for leaked numbers (e.g., being targeted in scam calls) associated with such exposures.
Fascinating to me as this seems to imply that a phone number has a half-life of about 4-5 years (unless the fact of the leak persuaded a significant number of people to change their number, which I suppose is unlikely?)
by ChrisMarshallNY
4 subcomments
- > highlights the risks associated with the centralization of instant messaging services
That seems to be the takeaway.
Centralization of just about anything is an issue, not just messaging.
However, users still want/need the kinds of advantages that we get from monopolies/centralization, and implementing them in distributed systems is really hard.
- Specifically, the endpoint allowed asking if a given phone number had a whatsapp account. Scaled up to ~all phone numbers. That doesn't seem like a major vulnerability.
- This doesn't seem like much of a leak. It sounds like users created public profiles that would be shown to anyone who entered their phone number while searching for other users.
The researchers managed to get a list of users and the public information in their profile by looking up random numbers, but all they got was the public information users put in their profiles.
Since facebook didn't rate limit the researchers (or anyone else) it allowed them to collect a big dataset of publicly avilable information, so shame on facebook (as if they had any), but it's not like people's secret/private data was exposed. Nobody should be upset that the photo they uploaded and put on the internet as their public profile picture gets seen by somebody else. People who don't want their "sexual orientation, political views, drug use" or whatever known shouldn't put that in their profile where anyone and everyone can see it.
by entropoem
1 subcomments
- One of the most regrettable things. Humans should have had the most popular private chat application. But the figure of 19 billion USD in 2014 blinded Brian Acton. What he does with Signal now can never compensate for the trust of billions of users being sold to Mark Zuckerberg.
by abigailphoebe
3 subcomments
- this is just... enumeration of phone numbers?
how is this a 'security vulnerability'? an issue maybe, but it's not a vulnerability as that implies faulty code; this is a documented feature.
by maratumba
1 subcomments
- I don't know if it's related but this morning I realized that I'd been logged out of my Whatsapp account. When I tried to log back in, I couldn't get Whatsapp to confirm my phone number. I didn't get the SMS they sent for the recovery code. Thankfully "call me" option worked for receiving the recovery code. But then I was asked a 2fa PIN which I (unfortunately) never had set up. "Forgot my PIN" also didn't send an email to my account (which I'm pretty sure I also hadn't set up anyway).
Currently I'm waiting to hear from Whatsapp support and/or the 7 day waiting time to be over to reset my account. It is bizarre that I am not able to recover my account when I still own my phone number (I can still receive SMS on it).
I would consider myself very cautious about clicking suspicious links, of course one can never be 100% sure. This was very disconcerting.
As a reminder for all Whatsapp users, please set up your 2FA PINs and recovery emails.
- Isn't this very similar to the 2020 paper that covered WhatsApp, Telegram and Signal? https://encrypto.de/news/contact-discovery
What concerns me is that only thing stopping someone from enumerating the entire set of all possible phone numbers is effective server-side rate limiting. What are the current rate limits for each messenger, and are they sufficient? (per this paper, probably not)
by InfoSecErik
0 subcomment
- I once participated in some work like this, https://en.wikipedia.org/wiki/List_of_mobile_telephone_prefi... was super helpful. I couldn't find a link to libphonegen that they were referencing.
by chatmasta
1 subcomments
- This is not a security vulnerability, it’s been documented in the user interface for years. That’s why I have no profile picture and no status. You clearly opt into “everyone” viewing it, and it’s obvious this it is literally anyone, because when you add a new contact, you simply enter their phone number and can see their profile picture and status. It doesn’t take a leap of imagination to enumerate that for the space of valid phone numbers.
- A bit disappointing, I thought everybody knew it was possible to "enumerate" Whatsapp accounts? I was hoping for something more juicy like RCE...
- I’ve actually thought of doing this myself, but there isn’t really much value in enumerating active phone numbers. Lest you run a full scale scam operation cold calling people to phish for their banking info.
My entire PII is already leaked elsewhere in other breaches.
by londons_explore
3 subcomments
- The only fix to this is to replace phone numbers by secret 256 bit keys that are never reused...
Never gonna happen.
- Is phone number enumeration now considered a vulnerability? Really?
by rubenvanwyk
0 subcomment
- I can't imagine the scrutiny you must face when your product becomes so mainstream that researchers literally work on identifying security vulnerabilities.
- "security vulnerability" ....
by lolidiots
1 subcomments
- Did they discover it’s not e2e?
- If this is a security vulnerability, then these guys just documented their exploitation of said vulnerability. Sounds like a crime.
Proper research would be to identify an issue, write up the issue, conduct a handful of tests, report the issue. Improper research is enumerate the entire input space and gather as much data as you can from the target.
- Security vulnerability is a bit strong, but I don't blame news salesmen for making clickbait, it's all in the game
- The security vuln is that it's owned by a bad faith actor
https://news.ycombinator.com/item?id=1692122
https://news.ycombinator.com/item?id=25662215
I get this is snarky and it being HN I'll now collect my downvotes, but really, I can't not hear Whatsapp without also thinking Facebook; the entire product may as well be a security vuln
by bfkwlfkjf
2 subcomments
- [flagged]
- SimpleX is the way.
Hacker News