It’s the digital security training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone shared this newsletter with you, please subscribe here.
Researchers find flaw exposing billions of WhatsApp phone numbers
A group of researchers at the University of Vienna discovered a surprisingly simple but significant privacy flaw in WhatsApp that enabled them to uncover the phone numbers — and in some cases profile photos and descriptions — associated with 3.5 billion WhatsApp accounts. At the root of the problem lies WhatsApp’s “contact discovery” feature.
The feature, which is intended to help users find contacts on the platform by searching for phone numbers, did not have any limits on searches. The lack of rate-limiting enabled researchers (and potentially any attackers that might also have discovered the same flaw) to automate searches and check tens of billions of possible phone numbers on the platform.
In total, the researchers compiled (and have since deleted) a database of 3.5 billion phone numbers that popped up via contact discovery. Because WhatsApp profile photos are kept public by default, the researchers were able to pair over 57% of these numbers with photos, which, in theory, could have helped link the accounts and numbers to specific individuals. Although a different researcher raised a similar issue back in 2017, WhatsApp did not implement any rate-limiting protections until last month (after this latest research was disclosed responsibly via Meta’s bug-bounty program.)
What you can do
- Limit who can see your WhatsApp profile information. Even with rate-limiting now in place, it is still possible for others to use the contact discovery tool to pull up your phone number and see associated profile information if that information isn’t specifically locked down. To prevent this from happening, you can go into WhatsApp and open up “Settings” > “Privacy” and choose the “My Contacts” option for who can see various individual elements, including your profile photo, about and status information, when you were last online, and any links you have shared in your profile. You can also further restrict this information so that “Nobody” aside from you can see it, but that will make it harder for others to find and contact you on the app.
- Take a moment to upgrade your WhatsApp privacy and security settings. Especially if you are using it for sensitive communications, it’s important to lock down WhatsApp as best as possible. This includes keeping backups turned off (or at least only using end-to-end encrypted backups with a strong and well-secured encryption password), turning on two-factor authentication for your WhatsApp account, and generally keeping in mind that WhatsApp collects (and can share, if compelled) metadata about who you’re talking to on the platform. For more details on these WhatsApp security tips and considerations, check out our guide on the subject!
Updates from our team
- It’s Thanksgiving week, and, for many folks, that means travel. Before you hit the roads, rails, or skies this travel season, a friendly reminder about our advice column from earlier this year on securing your passwords while traveling.
- Speaking of travel, Apple announced last week that iPhone users can now digitize their passport or eligible driver’s license information in their Apple Wallets. In this HuffPost article, our very own David Huerta shares why adding your IDs to a digital wallet might not be the best idea.
Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.
Best,
Evan
-
Evan Summers
Senior Digital Security Trainer
Freedom of the Press Foundation
