A massive WhatsApp security hole means that over 3.5 billion phones numbers have been exposed on the internet. The flaw was first reported to Meta 8 years ago, All someone has to do is plug a phone number into the service’s search history tool to check whether it’s valid. A savvy data thief could automate that process as there is no limit to how many times someone can search for a number.
Once a phone number is validated, the data scraper can also grab names, profile photos and other information.
Researchers from the Univeristy of Vienna found the flaw which was reported in Wired.[subscription required to read full article].
The researchers proved the flaw was real by extracting those 3.5 billion phone numbers before reporting the issue to Meta. They have deleted the data they extracted. It took Meta another six months to limit the number of phone number searches so the exploit is now closed.
WhatsApp says there is no evidence that the vulnerability was used by malicious actors.
While phone numbers are rarely considered private information, this data can be used to validate data stolen in other attacks.
I don’t use my main phone number on WhatsApp or any Meta service. I pay an annual subscription to MySudo which gives me an anonymous USA phone number over a Voice over IP service. Unlike Australian carriers, MySudo does not require any identification to set up an account. It allocates you a phone number and you can choose which area in the USA the number is based.
If the number is stolen in a hack or starts to receive lots of spam calls and texts, I can easily switch to a new number.
Anthony is the founder of Australian Apple News. He is a long-time Apple user and former editor of Australian Macworld. He has contributed to many technology magazines and newspapers as well as appearing regularly on radio and occasionally on TV.