Hey, remember how I reported earlier in the month that WhatsApp will soon enable the use of usernames, instead of phone numbers, as the primary identifier in the app?
Yeah, turns out there’s a security reason for that, with Austrian researchers finding that you can just enter every single possible phone number combination, through automated process, and find contact information, including name and profile images, for every WhatsApp user in existence.
Which they claim is a significant security flaw, that WhatsApp’s parent company Meta has failed to address for years.
As reported by Wired, a team of Austrian security researchers used this method to extract 3.5 billion users’ phone numbers from the platform.
As per Wired:
“For about 57% of those users, they also found that they could access their profile photos, and for another 29%, the text on their profiles. Despite a previous warning about WhatsApp’s exposure of this data from a different researcher in 2017, they say, the service’s parent company, Meta, still failed to limit the speed or number of contact discovery requests the researchers could make by interacting with WhatsApp’s browser-based app, allowing them to check roughly a hundred million numbers an hour.”
Using this, you could come up with a pretty comprehensive database of names and phone numbers, to be used to whatever purpose you choose.
The researchers have since shared their findings with Meta, which implemented new rate limits in response to stop people from using this as a mass scraping vector.
But even with rate limits, this remains a security concern, and is likely why Meta’s now moving towards the use of usernames as an identifier, in order to address concerns about potential data scraping.
To be clear, the amount of information that a scraper can access through WhatsApp is still limited, with only basic profile data available via phone number matching, while users can also make their profile private to protect themselves from such.
Meta also says that it’s found no evidence of malicious actors abusing this element, while it’s also underlined that users’ actual messages remain private and protected by WhatsApp’s default end-to-end encryption.
So, in general terms, this is not a massive data exposure, but it could enable malicious actors to create databases of user names and numbers to be utilized in scam activity.
As such, you can expect WhatsApp to make a bigger push on usernames moving forward, as it looks to address any concerns, while also monitoring for abuse of phone number matching to protect WhatsApp users.
It’s a lesser data exposure risk, but a risk either way, and it makes sense, then, for Meta to be offering alternate options to help limit potential harm.
