WhatsApp Hit by Massive Global Security Flaw

Researchers reveal an essential WhatsApp application vulnerability that exposes billions of users to significant cybersecurity and privacy threats across the world.

Developers of the WhatsApp have revealed a serious vulnerability in the application that disclosed the phone numbers and personal information of 3.5 billion users, creating a severe cybersecurity issue, which must be considered urgent. The vulnerability was caused by WhatsApp's contact discovery feature, which researchers used to make well over 100 million calls each hour owing to the weak rate-limiting controls.

With the reverse-engineered API, the team scanned 63 billion phone numbers in 245 countries, finding much more than mere contact information. The profile photos, status messages, encryption keys, and devices and timestamps that were not encrypted were exposed and have a worldwide cybersecurity threat. Even researchers downloaded 77M profile pictures of the U.S., and 66% of them had recognizable human faces.

The results indicate that there are severe privacy risks, particularly to those users who are located in nations where WhatsApp is prohibited. China, Myanmar, and Iran had millions of active users, which implies that a leak of the information might subject people to surveillance or legal follow-ups. It was also found that almost 50 percent of the phone numbers that were exposed in the 2021 Facebook attack have not been deactivated, which supports the long-term underlay of cybersecurity exposure.

After responsible disclosure, WhatsApp has implemented the fixes, such as probabilistic rate limiting, limited access to content of public profiles and the elimination of timestamp information. One of the major reuse challenges in the Android clients was solved, too.

The event supports the escalating issues in cybersecurity within centrally messaging applications and demonstrates how convenience-invoking features can become managed vulnerabilities when implemented unsecured.