Full Report
Two-day exploit opened up 3.5 billion users to myriad potential harms Researchers in Austria used a flaw in WhatsApp to gather the personal data of more than 3.5 billion users in what they believe amounts to the "largest data leak in history."…
Analysis Summary
# Vulnerability: WhatsApp User Enumeration Leading to Massive Data Scraping
## CVE Details
- CVE ID: Not explicitly provided in the text. (This appears to be a zero-day/bug bounty finding disclosed privately, often preceding formal CVE assignment).
- CVSS Score: Not explicitly provided in the text.
- CWE: Likely related to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) or CWE-400 (Uncontrolled Resource Consumption) related to inadequate rate limiting insufficient to prevent mass scraping.
## Affected Systems
- Products: WhatsApp Messaging Platform (Meta/Facebook)
- Versions: Undisclosed, affecting versions prior to the patch deployment.
- Configurations: Any configuration allowing standard user lookup functionality via phone number input, lacking sufficient rate limiting controls.
## Vulnerability Description
The flaw resided in WhatsApp's mechanism for allowing users to look up others via phone numbers. By systematically inputting generated phone numbers (over 100 million accounts per hour) without encountering effective rate limiting or account blocking, researchers successfully enumerated basic personal data for 3.5 billion registered WhatsApp users. The leaked data included phone numbers, user names, profile images, and profile text status messages.
## Exploitation
- Status: Confirmed actively exploited by researchers via a proof-of-concept mechanism based on systematic phone number input.
- Complexity: Low (Automated tool leveraging an existing API feature).
- Attack Vector: Network (Remote via standard application interface).
## Impact
- Confidentiality: High (Collection of 3.5 billion records containing PII, profile pictures, and potentially sensitive status information revealing political views, sexual orientation, etc.).
- Integrity: Low (No modification of user data, but data integrity compromised upon leakage).
- Availability: None (Service functionality was maintained).
## Remediation
### Patches
- Specific patch versions were not announced, but Meta confirmed that countermeasures were implemented following responsible disclosure. Researchers confirmed that the exact method used for the original study was blocked swiftly upon retesting after remediation.
### Workarounds
- No official vendor workarounds were listed, as the vulnerability was addressed via platform-side security enhancements (anti-scraping systems).
## Detection
- Indicators of compromise: Unusually high volumes of phone number lookup requests originating from specific IP ranges or user sessions against WhatsApp enumeration endpoints.
- Detection methods and tools: Monitoring rate-of-query metrics against user lookup functionalities. The researchers utilized a tool built on Google's `libphonenumber` for number generation.
## References
- Vendor Advisory: Meta stated they were working on industry-leading anti-scraping systems, which were confirmed effective by researchers post-fix.
- Relevant links:
- Research PDF (URL defanged): [researchers research paper pdf link]
- Related admission by WhatsApp Boss (URL defanged): hxxps://www.bbc.co[.]uk/news/articles/ckke9x0e50xo