Connor Jones reports:
Researchers in Austria used a flaw in WhatsApp to gather the personal data of more than 3.5 billion users in what they believe amounts to the “largest data leak in history.”
The messaging platform allows users to look up others’ details by inputting their phone numbers. The feature, which has been part of the platform for years, can be abused to enumerate user data, including phone number, name, and in some cases their profile image if they have one set.
Using this feature, the researchers were able to gather user details at a rate of over 100 million accounts per hour by plugging in 63 billion phone numbers generated using a tool they built using the underlying tech of Google’s libphonenumber.
In typical settings, platforms would rely on rate limiting to prevent this kind of abuse, but WhatsApp still allowed enumeration on this scale without the researchers “encountering blocking or effective rate limiting.”
Read more at The Register.