An urgent warning has been issued to WhatsApp users after cybersecurity experts find a serious vulnerability.

Researchers say that a simple weakness allowed them to access 3.5 billion profiles on the Meta-owned messaging app.

Although users’ messages remained encrypted, the researchers say they were able to harvest vast quantities of ‘metadata’.

This allowed them to discover personal information, including phone numbers, location, type of device, and the age of someone’s account.

Experts from the University of Vienna and SBA Research say that a security weakness allowed them to exploit WhatsApp’s built-in contact discovery mechanism.

Normally, this lets the app access a user’s contact list to find other WhatsApp users by their phone numbers.

However, the researchers found that there were no limits on how many contacts this mechanism could search for.

By exploiting this flaw, the researchers were able to search through 100 million phone numbers every hour and access billions of user profiles.

Cybersecurity experts have issued an urgent warning after discovering a security flaw that allowed access to 3.5 billion WhatsApp profiles 

Lead author Gabriel Gegenhuber, a researcher at the University of Vienna, says: ‘Normally, a system shouldn’t respond to such a high number of requests in such a short time – particularly when originating from a single source.

‘This behaviour exposed the underlying flaw, which allowed us to issue an effectively unlimited requests to the server and, in doing so, map user data worldwide.’

Using this technique, the researchers revealed an incredible trove of data from WhatsApp accounts in 245 countries.

Working alongside the researchers, Meta says that it has now ‘addressed and mitigated the issue’.

Nitin Gupta, Vice President of Engineering at WhatsApp, says: ‘We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defences.

‘Importantly, the researchers have securely deleted the data collected as part of the study, and we have found no evidence of malicious actors abusing this vector.’

Mr Gupta also stresses that users’ messages remained secure and private, and that WhatsApp’s end-to-end encryption was not compromised at any point.

However, the researchers argue their study shows the risk of ‘centralising’ the world’s messaging on just a few apps.

Researchers were able to extract enough data from users' profiles to identify their location down to the state (illustrated)

Researchers were able to extract enough data from users’ profiles to identify their location down to the state (illustrated)

Researchers managed to access the accounts by exploiting WhatsApp's contact discovery mechanism. The experts say the flaw has now been fixed, and that no cybercriminals have used it (stock image)

Researchers managed to access the accounts by exploiting WhatsApp’s contact discovery mechanism. The experts say the flaw has now been fixed, and that no cybercriminals have used it (stock image) 

The public data that was initially available to the researchers was simply the kinds of information that anyone with a user’s phone number could see.

However, they were also able to extract additional information, allowing them to determine a user’s operating system, account age, and the number of linked companion devices.

In countries including the United States, Brazil, and Mexico, there was enough data to identify a user’s location down to the state.

This could lead to a user being targeted with scam calls or other attacks.

Co-author Dr Aljosha Judmayer says: ‘End-to-end encryption protects the content of messages, but not necessarily the associated metadata.

‘Our work shows that privacy risks can also arise when such metadata is collected and analysed on a large scale.’

Using the data collected by demonstrating the vulnerability, the researchers were able to reveal some surprising details about WhatsApp’s global users.

For example, the researchers discovered that there are millions of active WhatsApp accounts in countries where the platform is officially banned.

Using the exposed profiles, the researchers found that there were millions of active accounts in countries where the app is formally banned - including China, Iran, and Myanmar

Using the exposed profiles, the researchers found that there were millions of active accounts in countries where the app is formally banned – including China, Iran, and Myanmar 

These include China, Iran, and Myanmar, which all have strictly controlled access to global internet services.

More concerningly, the researchers discovered that half of the 500 million phone numbers exposed in the 2021 Facebook leak were still active on WhatsApp.

The leak saw the full names, phone numbers, locations, and birthdates of users on the platform from 2018 to 2019 posted to a hacking forum.

Ireland’s Data Protection Commission hit Meta, Facebook’s parent company, with a €265 million (£233 million) fine, after ruling that the breach meant the company had failed to meet data protection laws.

The researchers say that there are enduring and heightened cybersecurity risks for anyone using a number that has previously been exposed in this leak. 

HOW TO CHECK IF YOUR EMAIL ADDRESS IS COMPROMISED

Have I Been Pwned?

Cybersecurity expert and Microsoft regional director Tory Hunt runs ‘Have I Been Pwned’.

The website lets you check whether your email has been compromised as part of any of the data breaches that have happened. 

If your email address pops up you should change your password.

Pwned Passwords

To check if your password may have been exposed in a previous data breach, go to the site’s homepage and enter your email address.

The search tool will check it against the details of historical data breaches that made this information publicly visible. 

If your password does pop up, you’re likely at a greater risk of being exposed to hack attacks, fraud and other cybercrimes.

Mr Hunt built the site to help people check whether or not the password they’d like to use was on a list of known breached passwords. 

The site does not store your password next to any personally identifiable data and every password is encrypted

Other Safety Tips

Hunt provides three easy-to-follow steps for better online security. First, he recommends using a password manager, such as 1Password, to create and save unique passwords for each service you use. 

Next, enable two-factor authentication. Lastly, keep abreast of any breaches



By

Source link