Major tech platforms frequently face data breaches due to weak or unsecured APIs, and WhatsApp has now become part of this troubling trend. Researchers recently exploited a flaw in the app’s contact discovery system to collect an astonishing 3.5 billion phone numbers.
How Researchers Uncovered 3.5 Billion WhatsApp Numbers
The issue originated from WhatsApp’s GetDeviceList API, which checks if a number is registered and what devices are linked to it. The flaw here was the absence of effective rate limits, allowing for repeated requests and mass enumeration.
A team from the University of Vienna and SBA Research decided to see how far they could push this. With just five authenticated sessions, they bombarded the WhatsApp server with queries, expecting to be blocked. Surprisingly, WhatsApp offered no resistance at all. They ended up checking over 100 million phone numbers an hour, ultimately identifying 3.5 billion active accounts from a global pool of 63 billion numbers.
More Than Just Numbers Collected
The researchers didn’t stop at merely confirming accounts. They used various endpoints, such as GetUserInfo and FetchPicture, to gather additional details like profile pictures and device information. During their testing in the U.S., they downloaded 77 million pictures, many clearly showing faces. This risk is compounded by the fact that, compared to a 2021 Facebook data leak, about 58% of those numbers were still in use on WhatsApp, indicating that leaked numbers pose ongoing risks.
It’s worth noting that this study hasn’t been published yet, but the researchers did inform WhatsApp, which has since implemented rate-limiting protections to prevent similar issues in the future. However, the findings demonstrate how quickly attackers could exploit such vulnerabilities if they had acted first.
Continued Vulnerabilities in Major Platforms
WhatsApp isn’t alone in facing data breaches linked to insufficient API rate limits. In 2021, hackers used Facebook’s contact-upload feature to create a pool of 533 million profiles, leading to significant fines for Meta. Similarly, Twitter faced an attack that linked email addresses with 54 million accounts through an API bug, and Dell experienced a breach of 49 million customer records via unsecured APIs.
Steps to Protect Your WhatsApp Data
If your number ends up in one of these breaches, although you can’t reverse it, there are several steps you can take to minimize your risk:
1) Activate Two-Factor Authentication
Enable 2FA on WhatsApp and your other important accounts. This adds an extra layer of security, making it difficult for unauthorized users to access your account.
2) Consider Using a Password Manager
Password managers can help ensure your passwords are unique and strong, reducing the risk of credential stuffing attacks by attackers combining your phone number with known passwords.
3) Limit Public Data
Opt-out of data brokers and public databases where possible. Fewer public details mean less information is accessible to attackers.
4) Tighten Profile Sharing
Keep your WhatsApp profile minimal. Avoid sharing job titles or links that could help build a complete profile for scammers.
5) Adjust Privacy Settings
Set your privacy settings to restrict who can see your information. Limit visibility of your profile picture and status updates to “Contacts Only” or “Nobody.”
6) Install Reliable Antivirus Software
Strong antivirus can block malicious downloads and links, providing additional protection against phishing attempts.
7) Be Cautious With Unknown Contacts
Approach unsolicited messages and calls with skepticism. Avoid clicking links or sharing sensitive information.
Final Thoughts
While WhatsApp may have patched this particular flaw, the broader issue of inadequate API security remains. If platforms don’t prioritize protecting APIs, incidents like this will continue to occur. What do you think about the necessity of strict API regulations for apps? Feel free to share your thoughts.
