A structural flaw in the platform's architecture raises doubts about the service's security and reopens criticisms ignored by "Meta" for seven years.
Researchers at the University of Vienna revealed the existence of a critical vulnerability in WhatsApp that exposed the phone numbers of 3.5 billion users globally. Meanwhile, "Meta" claims to have already fixed the problem in October of last year.
According to information released, the researchers were able to automate, without any hindrance, massive queries using WhatsApp's basic feature designed to verify if a number is associated with an account. This automation allowed testing up to 100 million numbers per hour, confirming not only the existence of the accounts but also gaining access to profile pictures of 57% of users and their respective descriptions. The data collected reaches gigantic proportions, and the researchers are classifying the potential impact as "the largest data breach in history."
Meta's reaction, which reinforced the verification limits in October 2024 after being alerted in the spring of that year, ends up hiding a more disturbing history. This vulnerability is not recent, as researcher Loran Kloeze reported the exact same problem in 2017.
At the time, the company dismissed the warning and simply recommended that users adjust their privacy settings, allowing the flaw to remain exploitable for seven years.
The study now released exposes another serious threat to communications security: the detection of identical encryption keys between different accounts. Experts associate this anomaly with the use of unofficial WhatsApp applications, which offer extra features but compromise the integrity of the system.
The registration of 2.3 million Chinese numbers (despite WhatsApp being banned in China) reinforces the massive use of these alternative clients, capable of facilitating the decoding of private conversations. Given these structural risks associated with the use of phone numbers as identifiers, "Meta" is now seeking to accelerate the implementation of a pseudonymous identification system, currently in the testing phase.
However, this change comes too late for millions of users whose data may already have been exposed.
Source: Wired
0 Comments