Funny timing, we just published an RFC on a contact-matching scheme that's intended to be resilient to this kind of enumeration attack at the cost of reduced discovery. We're soliciting feedback so now's a good time to share the link - https://docs.bsky.app/blog/contact-import-rfc
Related to Zero Knowledge Proofs, the advantage is that phone numbers need never be shared in cleartext, preempting whole classes of attacks. However, could be overkill for your needs, and I am not sure how well current techniques would scale.
alkindiffie 79 days ago [-]
The RFC addresses security, but does not mention anything about privacy.
I think the scheme ultimately boils down to trusting the server/instance.
It would be great if users don't have to share the actual number with the server,
a hash or something like that but that would make it impossible to verify the number and verification is required to prevent spoofing.
Another way maybe is to have a trusted 3rd party (something like EFF, LetsEncrypt) that can be used by users to validate their numbers and applications can get the hashes from there.
hhh 79 days ago [-]
phone numbers aren’t unique enough for hashes, a lookup table would not be that much effort
npunt 79 days ago [-]
Ah its great you bring this up, it's timely as my app is adding contacts syncing soon and I want to do it in a secure/private way. If you choose to go ahead with this, are there any plans to make it open source? ty!
pfraze 79 days ago [-]
Yeah, it will be
fsckboy 80 days ago [-]
[flagged]
pfraze 80 days ago [-]
solid burn
GlacierFox 80 days ago [-]
[flagged]
pfraze 80 days ago [-]
It's a retirement home for elder millennials who just happen to be insane. Not the same thing.
isodev 79 days ago [-]
Ok, let’s not have the is Bluesky decentralised discussion again. Kudos to Bluesky’s PR efforts to use complex technology to basically sell themselves as whatever people want to hear (like NFTs but social media). There are a number of X/Threads clones out there, but I’d take a group chat on some relatively secure messaging platform over “social media” any day. Even better if it’s something I can self host or join into one from many servers (remember IRC? Good times).
We really need to rethink this “one corp owns all the keys and all servers” setup.
pfraze 79 days ago [-]
I’m just glad we didn’t have the conversation again
godelski 79 days ago [-]
> Even better if it’s something I can self host or join into one from many servers (remember IRC? Good times).
What's stopping you? Even threads can connect to BlueSky
lxgr 79 days ago [-]
> Even threads can connect to BlueSky
I thought Threads only interoperates with Mastodon/the fediverse in some limited capacity. Did I miss some Bluesky integration announcement?
godelski 79 days ago [-]
You just need a bridge, as with connecting any decentralized platforms
That's opt-in, mangles usernames, and on top of that quite a few people on Mastodon seemed allergic to the very idea of bridging/federation the last time I looked into it.
godelski 78 days ago [-]
> That's opt-in
So? It's just an example. I'm sure you could do it in a cleaner way. They use different protocols. If you can run your own server and connect with open source tools, it's decentralized. Though of course that doesn't mean a decentralized protocol isn't highly centralized. See email
yehoshuapw 79 days ago [-]
so matrix? (which has it's own issues, but will hopefully overcome them eventually)
tradevapp 79 days ago [-]
Yup
> highlights the risks associated with the centralization of instant messaging services
Any cervices, really
ChrisMarshallNY 80 days ago [-]
> highlights the risks associated with the centralization of instant messaging services
That seems to be the takeaway.
Centralization of just about anything is an issue, not just messaging.
However, users still want/need the kinds of advantages that we get from monopolies/centralization, and implementing them in distributed systems is really hard.
GCUMstlyHarmls 80 days ago [-]
I wonder if there was ever a path for solving this early, like, we made email and that proliferated, if only we'd landed on better identity management first, would we be in some digital messaging utopia.
Would the world be better if we'd been saying "whats your public key?" instead of "whats your email?" in the 90s?
ivell 79 days ago [-]
The public keys won't be stable as we would need to rotate them. We need both a stable identity and a proof of that identity. Security is not very user friendly and would have made the digital tech even more fringe. One of the reasons email and web took off was its comparative ease of use.
RobertoG 79 days ago [-]
Maybe, but, in practice, email has been basically centralized too. For most people, it's just too convenient to get a gmail account for free, and forget about any maintenance headache.
wongarsu 79 days ago [-]
But that only started when gmail launched with a deal that was too good to refuse (a mailbox that was huge for the time, and grew bigger over time). Before that most people just used the free email account they got from their ISP. That also comes without maintenance headache for the user and is at least somewhat less centralized
LunaSea 79 days ago [-]
Yeah but you change your ISP more often (pricing reasons, moving to a different state or country) than your email provider.
slumberlust 79 days ago [-]
Damn, in the last twenty years I've never lived at a place with more than one option for ISP (excluding satellite options).
rzerowan 79 days ago [-]
For messaging i think early skype had it sorted more or less , decentralised - widely used and intuitive identity.
If it had been allowed to evolve identity maybe like email(matrix or even bsky) got federated with custom servers/identities and handles that could still interoperate, would be nice. Instead MS bought it and ran it into the ground.
tradevapp 79 days ago [-]
I think tech companies would've eventually attempted to build some walls around that and monetise it. Regardless of technology, the challenge is someone wants to "take this to the next level" - as long as it's investor driven, it remains "open" only as long as that brings more money or community good will
dijit 79 days ago [-]
I wonder what happened to Mozilla Persona.
That was super nice.
ibizaman 79 days ago [-]
https://simplex.chat/ Seems to take security and decentralization pretty far while keeping it convenient enough.
_the_inflator 79 days ago [-]
I have more confidence in Meta than the government.
I mean this as expression of technical feasibility and capability to achieve risk reduction with technical measures in an adequate amount of time.
Remember, that for the rest of the non-technical units out there the “digitization” and “IT implementation projects” fail on a massive scale.
Shit in shit out.
Whatever we trash FAANG for, any government has way more blowout.
ragebol 79 days ago [-]
You trust it more than your government. Which stands to reason at the moment if you are in the US. But there are competent, more trustworthy governments in other parts of the world. And other companies people might trust more than Meta.
Decentralization allows people to choose who they trust. Or rather requires them to really
dragonwriter 79 days ago [-]
> You trust it more than your government. Which stands to reason at the moment if you are in the US.
No, it really doesn't, and not because I have any faith in the current US government, just because I've seen the way Meta relates to it.
karel-3d 79 days ago [-]
just read the matrix thread on hn homepage.
yeah
loeg 80 days ago [-]
Specifically, the endpoint allowed asking if a given phone number had a whatsapp account. Scaled up to ~all phone numbers. That doesn't seem like a major vulnerability.
paganel 79 days ago [-]
It's a feature for many of us, it is for me, cause when I input a new phone number in my contacts (like let's say a plumber's phone number I found on the internet) I first go to WhatsApp to check if they've got a profile there, in which case I contact them directly using WhatsApp, not via voice-call/SMS.
n4r9 79 days ago [-]
Occasionally is probably fine. In bulk is where I imagine scam companies get interested.
patja 79 days ago [-]
Why is it OK to allow enumeration of accounts with a given phone number, when it is generally considered to be a privacy and security violation to allow someone to enter email addresses and confirm if they have an account with a service or app?
I've never understood this idea that phone numbers shouldn't be protected the same as email addresses or other personal information.
loeg 79 days ago [-]
It's for contact discovery. It's actually pretty similar for email? If you enter an email address in your mail client and send an email to it, in most configurations you'll get some kind of notification if the recipient doesn't exist.
Email, of course, has an unlimited number of possible addresses. Phone numbers are a dense space with limited parameter length. So it is easier to enumerate all phone numbers.
jwrallie 79 days ago [-]
I’ve been receiving lots of SMS lately claiming to come from “WatApp”, “whtas app” and similar instead of a phone number.
I assume it can be related to this leak? Knowing someone uses a service can increase the effectiveness of targeted phishing.
Interestingly it’s harder to block these senders that do not advertise a number on sms.
fckgw 79 days ago [-]
No. Firstly, there was no "leak", the data was never shared. The experiment was conducted by researchers then the data set destroyed. Secondly, there's 3.5b WhatsApp accounts. They just send the same message to everyone and the majority of numbers will have an account regardless.
esquivalience 79 days ago [-]
From the article:
> Nearly half of all phone numbers that appeared in the 2021 Facebook data leak of 500 million phone numbers (caused by a scraping incident in 2018) were still active on WhatsApp. This highlights the enduring risks for leaked numbers (e.g., being targeted in scam calls) associated with such exposures.
Fascinating to me as this seems to imply that a phone number has a half-life of about 4-5 years (unless the fact of the leak persuaded a significant number of people to change their number, which I suppose is unlikely?)
baby 79 days ago [-]
I was always amazed when discussing with Americans who have kept their phone numbers since they were kids, there was a time I would change phone number every year
zahlman 79 days ago [-]
Keeping the same number is more convenient for the people that you do want calling you.
I imagine that for some, it also contributes to a sense of identity, much the same way that a mailing address might.
baby 76 days ago [-]
I imagine that in this modern world people have kept emails longer than phone numbers or physical mailing addresses
pavel_lishin 79 days ago [-]
I'm one of those, as far as I can tell, I've had the same cellphone number since at least college, possibly high school.
Where do you live, and why do cell phone numbers cycle so quickly?
baby 76 days ago [-]
A mix of moving abroad a lot, but also change of phone provider (often moved provider because they were cheaper, and didn't manage to keep my number). I also never really made an effort to keep the same phone number as most people used email, then facebook, then other online apps (whatsapp, instagram, etc.) and I rarely used my phone number for anything long-term relationship
herbst 79 days ago [-]
Because it doesn't matter. Or it didn't in the past, now it's a security nightmare to not have your number anymore and risk someone else having it before you changed it everywhere.
newcool1230 76 days ago [-]
Now that lots of services require you to have a phone/use a phone number to login changing numbers could potentially mean losing access to services/accounts you use. (I also hate this)
rPlayer6554 79 days ago [-]
Swapping my phone number every year in the US would be an annoying as hell. Tons of services use phone number as 2FA or a backup recovery. (Including a lot of banks) I use SMS with some people and that would cut contact with them. Same direction if they changed numbers.
baby 76 days ago [-]
using a phone number as 2FA is generally bad practice but yeah I see what you mean. For anything else I think using whatsapp makes more sense
jorts 79 days ago [-]
Yeah, I've had the same number since about 2001. It's nice as I've moved since then so any number that calls from my area code is definitely spam, although that's not really an issue now that my phone doesn't ring for unknown numbers.
hulitu 78 days ago [-]
Changing phone numbers is like changing email. You risk losing access to some services/friends.
baby 76 days ago [-]
I haven't had any friend use my phone number to reach me out since like 2008?
epolanski 79 days ago [-]
I'm 38 and have the same number I had since 1999.
autoexec 80 days ago [-]
This doesn't seem like much of a leak. It sounds like users created public profiles that would be shown to anyone who entered their phone number while searching for other users.
The researchers managed to get a list of users and the public information in their profile by looking up random numbers, but all they got was the public information users put in their profiles.
Since facebook didn't rate limit the researchers (or anyone else) it allowed them to collect a big dataset of publicly avilable information, so shame on facebook (as if they had any), but it's not like people's secret/private data was exposed. Nobody should be upset that the photo they uploaded and put on the internet as their public profile picture gets seen by somebody else. People who don't want their "sexual orientation, political views, drug use" or whatever known shouldn't put that in their profile where anyone and everyone can see it.
entropoem 80 days ago [-]
One of the most regrettable things. Humans should have had the most popular private chat application. But the figure of 19 billion USD in 2014 blinded Brian Acton. What he does with Signal now can never compensate for the trust of billions of users being sold to Mark Zuckerberg.
Hnedelin 79 days ago [-]
The EU had one job, and it was to block this deal. It was obvious that a company with no income and no real monetization model is not worth 19 Billion, and that Facebook is after the users. But no, they let it go through with some bs conditions. But hey, at least they forced apple to use usb-c, that made a real difference
abigailphoebe 79 days ago [-]
this is just... enumeration of phone numbers?
how is this a 'security vulnerability'? an issue maybe, but it's not a vulnerability as that implies faulty code; this is a documented feature.
lxgr 79 days ago [-]
A complete lack of rate limiting at a privacy-sensitive endpoint is arguably a fault.
johnisgood 79 days ago [-]
I agree with this, but not the rest. It is not a security vulnerability, and I am not sure it being a privacy-sensitive endpoint either. Like someone pointed out, if you check one of your contacts and they have WhatsApp, you can tell, and you can message them from there. This is a feature.
I agree that there should be rate limiting of some sort.
lxgr 79 days ago [-]
Scale matters a lot for privacy.
For example, while everybody can physically go to your house and look at it from the street, somebody setting a webcam up and pointing it at the same house from the same vantage point would be a very different story and is illegal in many jurisdictions as a result.
fragmede 79 days ago [-]
If Whatsapp is banned in the country and you could get sent to jail for using it, I'd want the fact that I'm using Whatsapp to be kept private.
johnisgood 79 days ago [-]
Sure, they probably should implement it to be able to make it private, but then again, I do not trust Meta and I do not think you should trust it either, so if you get sent to jail for using it, you should probably be wary of it either way.
There are many alternatives to WhatsApp, you may want to try them. Briar, Ricochet Refresh, Session, Matrix (Element), Jabber (with OMEMO and whatnot), among many others.
patja 79 days ago [-]
Why isn't it a privacy and security problem if it is just done for a single phone number?
What is this was not WhatsApp, but it was a website or service dedicated to something unethical or illegal or just extremely embarrassing? Something that could ruin a marriage or career if it was known someone was a registered user? Would it be OK if someone could punch in phone numbers to find out who is registered on these sites?
What if someone automated and correlated this information to produce a profile for a phone number of all the shady/embarrassing services that phone number is associated with?
xwolfi 79 days ago [-]
100M per hour... it's quite ridiculous no ?
abigailphoebe 79 days ago [-]
just read the pre-print paper.
they claim to have achieved a rate of 7,000/s, which is roughly 25M/h
i do agree that is an absurd amount, especially when paired with the lack of rate limiting as discussed in their paper.
> "[...] Moreover, we did not experience any prohibitive rate-limiting. With our query rate of 7,000 phone numbers per second (and session), we could confirm 3.5 B phone numbers registered on WhatsApp [...]"
prior to my initial comment, i was under the impression they had encountered ratelimiting and bypassed it, it appears this initial assumption was incorrect.
i agree that it is ridiculous, though i faulter on calling it a vulnerability as in my eyes that term is specifically for unintended side affects / exploitation.
lxgr 79 days ago [-]
> i was under the impression they had encountered ratelimiting and bypassed it
Wouldn't that be the exact same privacy problem in effect? What's the practical difference between ineffective and no rate limiting?
abigailphoebe 79 days ago [-]
ehh, not really.
assuming a reasonable ratelimit, say 100 lookups per day (maybe some exceptions if the lookup results in an account that already has you in contacts, idk) - this would significantly reduce the amount of scraping that can be done.
contact lookup is a required function of whatsapp, the issue this paper highlights is that there is no protection against mass scraping
What concerns me is that only thing stopping someone from enumerating the entire set of all possible phone numbers is effective server-side rate limiting. What are the current rate limits for each messenger, and are they sufficient? (per this paper, probably not)
maratumba 79 days ago [-]
I don't know if it's related but this morning I realized that I'd been logged out of my Whatsapp account. When I tried to log back in, I couldn't get Whatsapp to confirm my phone number. I didn't get the SMS they sent for the recovery code. Thankfully "call me" option worked for receiving the recovery code. But then I was asked a 2fa PIN which I (unfortunately) never had set up. "Forgot my PIN" also didn't send an email to my account (which I'm pretty sure I also hadn't set up anyway).
Currently I'm waiting to hear from Whatsapp support and/or the 7 day waiting time to be over to reset my account. It is bizarre that I am not able to recover my account when I still own my phone number (I can still receive SMS on it).
I would consider myself very cautious about clicking suspicious links, of course one can never be 100% sure. This was very disconcerting.
As a reminder for all Whatsapp users, please set up your 2FA PINs and recovery emails.
hofrogs 79 days ago [-]
It would be insane if you could recover an account only having access to a phone number, since phone numbers can be redistributed to other people if you stop paying for your phone plan and then someone who gets your number will also inherit all your contacts and chats
jowea 79 days ago [-]
Your contacts could still end up messaging the new owner of the number inadvertently if you don't warn them before losing the number or out of band through. It seems WhatsApp doesn't has no warning if such a owner change happened. I believe the new owner would inherit your group memberships too, but not the group chat history.
This is not a security vulnerability, it’s been documented in the user interface for years. That’s why I have no profile picture and no status. You clearly opt into “everyone” viewing it, and it’s obvious this it is literally anyone, because when you add a new contact, you simply enter their phone number and can see their profile picture and status. It doesn’t take a leap of imagination to enumerate that for the space of valid phone numbers.
porridgeraisin 80 days ago [-]
There is a way to show profile pictures to only contacts. It's a setting.
chatmasta 80 days ago [-]
Yes, and those people didn't get their profile pictures exposed through this phone number enumeration. If they had, then maybe it would have qualified as a security breach.
throwaway290 79 days ago [-]
> Yes, and those people didn't get their profile pictures exposed through this phone number enumeration.
They did and this was not enumeration, did you read post?
chatmasta 79 days ago [-]
The post with the headline “Worldwide enumeration of accounts was possible?”
throwaway290 79 days ago [-]
OK... but it's not phone number enumeration. You need to give it a phone number to check if whatsapp acc is registered for it. So you need to have a collection of phone numbers first. If you have a collection of all phone numebrs in the world then you could enumerate whatsapp accounts.
And yes the pictures were leaked in the process.
hashhar 79 days ago [-]
It's trivial to enumerate all the phone numbers in the world.
throwaway290 79 days ago [-]
exactly. to claim enumerating phone numbers is a whatsapp bug is stupid. and to say profile pictures were not revealed = not reading tfa.
yorwba 79 days ago [-]
"The accessible data items used in the study are the same that are public for anyone who knows a user's phone number and consist of: phone number, public keys, timestamps, and, if set to public, about text and profile picture." Source: TFA, which I read.
throwaway290 79 days ago [-]
From my understanding the accessible data items meant they got them through the bug? Maybe I read wrong
ale42 80 days ago [-]
A bit disappointing, I thought everybody knew it was possible to "enumerate" Whatsapp accounts? I was hoping for something more juicy like RCE...
ruinin 80 days ago [-]
The most interesting vulnerability is the reuse of cryptographic keys, some of it apparently by design, like when transferring one's account to a new number - this can apparently be used to correlate identities despite the change of phone number.
Also, from examining the published data set I found it interesting that there are only five WhatsApp users registered in North Korea. I wonder who they are.
SweetSoftPillow 80 days ago [-]
I'm almost 100% sure that one of them is the only North Korean Steam user.
jeingham 80 days ago [-]
I hope nobody tells Kim there are another four users. I'm not sure their prison system can handle anymore, pretty well booked up last I heard.
userbinator 79 days ago [-]
If anything, the other four are likely to also be Kims.
0cf8612b2e1e 80 days ago [-]
The lack of rate limiting was surprising.
ale42 79 days ago [-]
Yes, indeed, I wouldn't have expected to be possible to enumerate all of them in a short time from a single IP.
wang_li 79 days ago [-]
If this is a security vulnerability, then these guys just documented their exploitation of said vulnerability. Sounds like a crime.
Proper research would be to identify an issue, write up the issue, conduct a handful of tests, report the issue. Improper research is enumerate the entire input space and gather as much data as you can from the target.
TZubiri 80 days ago [-]
Security vulnerability is a bit strong, but I don't blame news salesmen for making clickbait, it's all in the game
Krasnol 80 days ago [-]
If you can identify a person in a country where WA shouldn't be available by sniffing out their profile, it may even end up being a deadly security vulnerability, but I don't blame someone on a tech bro forum for making a edgy comment, it's all in the game.
perch56 80 days ago [-]
In a kinetic warfare or authoritarian context, this is rather a life safety vulnerability. In the industry, we call this the crossover from Information Security (InfoSec) to Operational Security (OpSec), where a digital flaw becomes a Kinetic Threat.
TZubiri 80 days ago [-]
Right, but if a country being at war or in a authoritarian regime is a precondition for the vulnerability to pose a threat, it's not really a scenario that would warrant a high scoring in some vulnerability scoring system. For sure it's a weakness and would score higher if the purpose of the technology were military.
But since this is a civilian application and not military, it doesn't seem sensible to rate vulnerabilities according to military use. The intended scope of the application makes a huge difference legally and operationally and should be triaged accordingly.
catmanjan 80 days ago [-]
[flagged]
j16sdiz 80 days ago [-]
To create a whatsapp acccount, you need to authenticate with sms first. If the country is that strict around whatsapp, this alone would bring you trouble.
varenc 80 days ago [-]
The vulnerability here is that the contact discovery endpoint could be abused to enumerate all WhatsApp users en-masse.
It's still quite possible to discover a single or small set of existing WhatsApp users based on their phone number. So in your scenario the risk still exists, it's just more work to enumerate everyone. Everyone should still assume their phone number can be linked to their WhatsApp account.
TZubiri 80 days ago [-]
>Everyone should still assume their phone number can be linked to their WhatsApp account.
But this has always been the case, the phone numbers are public, and phone numbers are the public key to whatsapp accounts.
Also you always could check a specific number to see if it is a whatsapp user. It is certainly an issue if a single actor can query 500 million users in a matter of minutes, and there seems to be some additional information per account like what device they are in. But these seem relatively minor.
varenc 80 days ago [-]
we agree. Just pointing out to the parent commenter that in their scenario the risk hasn't fundamentally changed. Just before the vuln was fixed it was a bit easier.
Hnedelin 79 days ago [-]
Governments in these countries have full and absolute control over ISPs and phone operators. If they didn’t already know someone is using whatsapp, they are not totalitarian governments to begin with. And who in their right mind would use whatsapp in those countries? There are much better and safer alternatives.
TZubiri 80 days ago [-]
Is it edgy? I find it somewhat nuanced and sensible. What is a bit proper of pseudoanonymous tech bro forums is people larping as military grade security analysts in a forum because they are unable to live out that dream in an actual scenario where they have any power on.
If the application is actively distributed in a country and their usage is permitted by their Terms of Service, then yes Whatsapp is liable for the security of their users in that context. If however the application is not actively distributed in that country, and there are active measures like geolocalization (and asking the user what country they are from during signup) to avoid serving such countries, then usage in those countries is outside the scope of Whatsapp.
Furthermore Whatsapp is a civilian app and is not designed or guaranteed for military usage, it's outside the scope of whatsapp.
Can the technique be used as one tool of many (including a bullet) in order to kill someone? Yes, is this a deadly security vulnerability? No, of course not, that's reaching, I'm not sure what would compel these exaggerations, maybe the larping, maybe its a general hatred towards whatsapp and you just jump on any opportunity to release your pent up anger.
It's worth noting that there's a gap between the security capabilities of whatsapp and the security capabilities they are legally required to have. Whatsapp will no doubt patch this small issue and keep that gap, but WA as it stands is one of the most secure and widely used applications in the world, has had an almost impollute historical record which is why billions of users trust the application with personal and professional secrets.
P.S: Also, you always could find out if a phone number is a whatsapp user individually, just add them on whatsapp and try to message them.
Krasnol 79 days ago [-]
Wow so much unrelated drama combined with pretty interesting advertisement.
Do you work for Meta?
People don't use WhatsApp because it's so secure. In certain countries people started using it because it was the first app that was cheaper than SMS and now they use it because everybody else is still using it. There is no other significant reason.
They have a history of security issues going back to 2011 when you could take over other peoples account. Today is just the last story of this ugly and leaking brother to Signal. The actually "most secure" app out there.
79 days ago [-]
loeg 80 days ago [-]
> If you can identify a person in a country where WA shouldn't be available by sniffing out their profile, it may even end up being a deadly security vulnerability,
What are you talking about? Like what is even the mechanism for your concern?
This is an open endpoint / not a part of the design that is intended to be confidential. If you suspected any particular individual you could always check if their phone number had a WA account.
londons_explore 80 days ago [-]
The only fix to this is to replace phone numbers by secret 256 bit keys that are never reused...
Never gonna happen.
nicce 80 days ago [-]
WhatsApp has avoided the pressure of E2EE backdoors and whatever politics because they were never needed.
1. They collect all the metadata in unencrypted format and link it to phone numbers, making a huge social graph.
2. Backups are not encrypted by default and enabling of them is pushed. So the messages were never actually encrypted for most people and police can get messages without the actual phone.
3. iCloud E2EE backup fight in UK was mostly because of 2. as people started to opt-in for encryption.
gruez 80 days ago [-]
>3. iCloud E2EE backup fight in UK was mostly because of 2. as people started to opt-in for encryption.
That doesn't make any sense. Why did uk want to start a fight over icloud E2EE backups (opt-in) but not whatsapp E2EE backups (opt-in)?
nicce 80 days ago [-]
> That doesn't make any sense. Why did uk want to start a fight over icloud E2EE backups (opt-in) but not whatsapp E2EE backups (opt-in)?
Default iCloud backup always included WhatsApp too, even if it was disabled in the app or the app used encrypted backups. And many other things, so it was not only about WhatsApp. Even for WhatsApp alone, it was slightly more useful.
tamimio 80 days ago [-]
That’s not gonna happen because the whole idea is to link your real identity to the digital one, which is why you should never trust any company that refuses to give you an alternative option to the phone number.
jojobas 80 days ago [-]
But it's to combat spam, we swear! Because of course there is no spam in whatsapp!
londons_explore 79 days ago [-]
Spam in WhatsApp is super low.
Of 10,000 received messages, perhaps 2 are spam?
Sophira 80 days ago [-]
Phone numbers were never supposed to be secret.
Nor were social security numbers.
hdgvhicv 80 days ago [-]
We used to put phone numbers and addresses in printed books and give them to everyone.
netsharc 79 days ago [-]
I remember looking in a 1930's phone book for Zurich, and it even mentions the person's job (I guess for significant jobs like company owner)...
ta20240528 79 days ago [-]
Norway still publishes everyone's tax returns.
netsharc 79 days ago [-]
But now you need to enter your own tax number to lookup other people's data, and they can see that you've been peeking.
But I suppose one could start a service, so you could pay them to look up a 3rd party's tax returns...
hsbauauvhabzb 80 days ago [-]
Phone numbers are treated as permanent even though they’re ephemeral. So here we are.
80 days ago [-]
zgk7iqea 80 days ago [-]
Is phone number enumeration now considered a vulnerability? Really?
hekkle 80 days ago [-]
I know, remember when the telco's just published those in books every year?
alister 80 days ago [-]
But you had the option of having an unlisted or unpublished phone number. To give one datapoint, in Los Angeles in the 1980s about half of all numbers were unlisted. I would expect that the unlisted rate was much higher in big cities like L.A. compared to the rest of the country.
What I find fascinating is that people paid for privacy. Yes, indeed, people paid several dollars extra per month to maintain an unlisted/unpublished phone number. Today very few people are willing to pay actual money for privacy.
BobbyTables2 80 days ago [-]
Very good point.
Everyone I knew while growing up was in the white pages (parents) with home address, not just phone number.
The early “FreeNet” and ISPs like Compuserve used anonymous usernames. Personalized email addresses came later…
Oddly, because we can’t even pay for privacy today, it appears as if nobody cares. Sure, still desirable but not even an option at any cost.
How we got from there to here is troubling.
Hnedelin 79 days ago [-]
What do you mean we can’t pay for privacy and it’s not an option at any cost? Just don’t use big tech services, you pay for them with your data. Use Threema instead, or similar. It is a paid service with focus on privacy.
BobbyTables2 72 days ago [-]
One would nearly have to live like the Amish to avoid all online services.
Both free and paid online services make extensive use of 3rd party tracking services.
Sure, if one has a flip phone and lives as one did in the 1980s…
dylan604 80 days ago [-]
funny thing is, there's probably a decent percentage of people here that don't remember this
austinjp 80 days ago [-]
Sarah Connor?
vachina 79 days ago [-]
I’ve actually thought of doing this myself, but there isn’t really much value in enumerating active phone numbers. Lest you run a full scale scam operation cold calling people to phish for their banking info.
My entire PII is already leaked elsewhere in other breaches.
mlmonkey 80 days ago [-]
"security vulnerability" ....
rubenvanwyk 79 days ago [-]
I can't imagine the scrutiny you must face when your product becomes so mainstream that researchers literally work on identifying security vulnerabilities.
alex1138 80 days ago [-]
The security vuln is that it's owned by a bad faith actor
I get this is snarky and it being HN I'll now collect my downvotes, but really, I can't not hear Whatsapp without also thinking Facebook; the entire product may as well be a security vuln
lolidiots 80 days ago [-]
Did they discover it’s not e2e?
xaxaxa123 79 days ago [-]
lol
bfkwlfkjf 80 days ago [-]
[flagged]
phyzix5761 80 days ago [-]
But what if most people don't actually care about these freedoms? What if we're only a small minority? Should we force our views on others through laws and regulations or should we, as free individuals, choose not to use these applications and let others make their own free choices?
mjevans 79 days ago [-]
Most people don't really want freedom of speech. Until they REALLY _NEED_ freedom of speech.
GlacierFox 80 days ago [-]
State an open source alternative so I can explain to you why the masses think it's crap.
flexagoon 80 days ago [-]
While I agree a lot of open source messenger services have terrible UX, I don't think "the masses" care about it that much. What matters is what everyone else is using. People are using Snapchat or Instagram Messenger and I haven't seen a single person who likes the UX of those services - they just use it and put up with hatred for it because that's what all their friends use.
userbinator 79 days ago [-]
MSN Messenger had tons of open-source clients back when it was the popular IM network, and it was a weekend or two of work to write a client for it.
bfkwlfkjf 80 days ago [-]
Open source has nothing to do with this conversation.
nothrabannosir 80 days ago [-]
I’ll bite : how does open source have nothing to do with a comment discussing “freedom oppressing software” and “Stallman”?
To be honest, I couldn’t imagine a word more related than "open source". Isn’t that junction literally the acronym F/LOSS?
uriegas 80 days ago [-]
I think this is purely first mover advantage. We get stuck with bad products simply because those were the first products on the market. It is difficult to change them once everyone uses them. The same applies to the adoption of IT on the banking industry. Now we are stuck with COBOL and systems that are hard to migrate without damaging the economy.
xaxaxa123 79 days ago [-]
SimpleX is the way.
Rendered at 16:52:16 GMT+0000 (Coordinated Universal Time) with Vercel.
Related to Zero Knowledge Proofs, the advantage is that phone numbers need never be shared in cleartext, preempting whole classes of attacks. However, could be overkill for your needs, and I am not sure how well current techniques would scale.
It would be great if users don't have to share the actual number with the server, a hash or something like that but that would make it impossible to verify the number and verification is required to prevent spoofing.
Another way maybe is to have a trusted 3rd party (something like EFF, LetsEncrypt) that can be used by users to validate their numbers and applications can get the hashes from there.
We really need to rethink this “one corp owns all the keys and all servers” setup.
I thought Threads only interoperates with Mastodon/the fediverse in some limited capacity. Did I miss some Bluesky integration announcement?
https://fed.brid.gy/
> highlights the risks associated with the centralization of instant messaging services
Any cervices, really
That seems to be the takeaway.
Centralization of just about anything is an issue, not just messaging.
However, users still want/need the kinds of advantages that we get from monopolies/centralization, and implementing them in distributed systems is really hard.
Would the world be better if we'd been saying "whats your public key?" instead of "whats your email?" in the 90s?
That was super nice.
I mean this as expression of technical feasibility and capability to achieve risk reduction with technical measures in an adequate amount of time.
Remember, that for the rest of the non-technical units out there the “digitization” and “IT implementation projects” fail on a massive scale.
Shit in shit out.
Whatever we trash FAANG for, any government has way more blowout.
Decentralization allows people to choose who they trust. Or rather requires them to really
No, it really doesn't, and not because I have any faith in the current US government, just because I've seen the way Meta relates to it.
yeah
I've never understood this idea that phone numbers shouldn't be protected the same as email addresses or other personal information.
Email, of course, has an unlimited number of possible addresses. Phone numbers are a dense space with limited parameter length. So it is easier to enumerate all phone numbers.
I assume it can be related to this leak? Knowing someone uses a service can increase the effectiveness of targeted phishing.
Interestingly it’s harder to block these senders that do not advertise a number on sms.
> Nearly half of all phone numbers that appeared in the 2021 Facebook data leak of 500 million phone numbers (caused by a scraping incident in 2018) were still active on WhatsApp. This highlights the enduring risks for leaked numbers (e.g., being targeted in scam calls) associated with such exposures.
Fascinating to me as this seems to imply that a phone number has a half-life of about 4-5 years (unless the fact of the leak persuaded a significant number of people to change their number, which I suppose is unlikely?)
I imagine that for some, it also contributes to a sense of identity, much the same way that a mailing address might.
Where do you live, and why do cell phone numbers cycle so quickly?
Since facebook didn't rate limit the researchers (or anyone else) it allowed them to collect a big dataset of publicly avilable information, so shame on facebook (as if they had any), but it's not like people's secret/private data was exposed. Nobody should be upset that the photo they uploaded and put on the internet as their public profile picture gets seen by somebody else. People who don't want their "sexual orientation, political views, drug use" or whatever known shouldn't put that in their profile where anyone and everyone can see it.
I agree that there should be rate limiting of some sort.
For example, while everybody can physically go to your house and look at it from the street, somebody setting a webcam up and pointing it at the same house from the same vantage point would be a very different story and is illegal in many jurisdictions as a result.
There are many alternatives to WhatsApp, you may want to try them. Briar, Ricochet Refresh, Session, Matrix (Element), Jabber (with OMEMO and whatnot), among many others.
What is this was not WhatsApp, but it was a website or service dedicated to something unethical or illegal or just extremely embarrassing? Something that could ruin a marriage or career if it was known someone was a registered user? Would it be OK if someone could punch in phone numbers to find out who is registered on these sites?
What if someone automated and correlated this information to produce a profile for a phone number of all the shady/embarrassing services that phone number is associated with?
they claim to have achieved a rate of 7,000/s, which is roughly 25M/h
i do agree that is an absurd amount, especially when paired with the lack of rate limiting as discussed in their paper.
> "[...] Moreover, we did not experience any prohibitive rate-limiting. With our query rate of 7,000 phone numbers per second (and session), we could confirm 3.5 B phone numbers registered on WhatsApp [...]"
prior to my initial comment, i was under the impression they had encountered ratelimiting and bypassed it, it appears this initial assumption was incorrect.
i agree that it is ridiculous, though i faulter on calling it a vulnerability as in my eyes that term is specifically for unintended side affects / exploitation.
Wouldn't that be the exact same privacy problem in effect? What's the practical difference between ineffective and no rate limiting?
assuming a reasonable ratelimit, say 100 lookups per day (maybe some exceptions if the lookup results in an account that already has you in contacts, idk) - this would significantly reduce the amount of scraping that can be done.
contact lookup is a required function of whatsapp, the issue this paper highlights is that there is no protection against mass scraping
What concerns me is that only thing stopping someone from enumerating the entire set of all possible phone numbers is effective server-side rate limiting. What are the current rate limits for each messenger, and are they sufficient? (per this paper, probably not)
Currently I'm waiting to hear from Whatsapp support and/or the 7 day waiting time to be over to reset my account. It is bizarre that I am not able to recover my account when I still own my phone number (I can still receive SMS on it).
I would consider myself very cautious about clicking suspicious links, of course one can never be 100% sure. This was very disconcerting.
As a reminder for all Whatsapp users, please set up your 2FA PINs and recovery emails.
They did and this was not enumeration, did you read post?
And yes the pictures were leaked in the process.
Also, from examining the published data set I found it interesting that there are only five WhatsApp users registered in North Korea. I wonder who they are.
Proper research would be to identify an issue, write up the issue, conduct a handful of tests, report the issue. Improper research is enumerate the entire input space and gather as much data as you can from the target.
But since this is a civilian application and not military, it doesn't seem sensible to rate vulnerabilities according to military use. The intended scope of the application makes a huge difference legally and operationally and should be triaged accordingly.
It's still quite possible to discover a single or small set of existing WhatsApp users based on their phone number. So in your scenario the risk still exists, it's just more work to enumerate everyone. Everyone should still assume their phone number can be linked to their WhatsApp account.
But this has always been the case, the phone numbers are public, and phone numbers are the public key to whatsapp accounts.
Also you always could check a specific number to see if it is a whatsapp user. It is certainly an issue if a single actor can query 500 million users in a matter of minutes, and there seems to be some additional information per account like what device they are in. But these seem relatively minor.
If the application is actively distributed in a country and their usage is permitted by their Terms of Service, then yes Whatsapp is liable for the security of their users in that context. If however the application is not actively distributed in that country, and there are active measures like geolocalization (and asking the user what country they are from during signup) to avoid serving such countries, then usage in those countries is outside the scope of Whatsapp.
Furthermore Whatsapp is a civilian app and is not designed or guaranteed for military usage, it's outside the scope of whatsapp.
Can the technique be used as one tool of many (including a bullet) in order to kill someone? Yes, is this a deadly security vulnerability? No, of course not, that's reaching, I'm not sure what would compel these exaggerations, maybe the larping, maybe its a general hatred towards whatsapp and you just jump on any opportunity to release your pent up anger.
It's worth noting that there's a gap between the security capabilities of whatsapp and the security capabilities they are legally required to have. Whatsapp will no doubt patch this small issue and keep that gap, but WA as it stands is one of the most secure and widely used applications in the world, has had an almost impollute historical record which is why billions of users trust the application with personal and professional secrets.
P.S: Also, you always could find out if a phone number is a whatsapp user individually, just add them on whatsapp and try to message them.
Do you work for Meta?
People don't use WhatsApp because it's so secure. In certain countries people started using it because it was the first app that was cheaper than SMS and now they use it because everybody else is still using it. There is no other significant reason.
They have a history of security issues going back to 2011 when you could take over other peoples account. Today is just the last story of this ugly and leaking brother to Signal. The actually "most secure" app out there.
What are you talking about? Like what is even the mechanism for your concern?
This is an open endpoint / not a part of the design that is intended to be confidential. If you suspected any particular individual you could always check if their phone number had a WA account.
Never gonna happen.
1. They collect all the metadata in unencrypted format and link it to phone numbers, making a huge social graph.
2. Backups are not encrypted by default and enabling of them is pushed. So the messages were never actually encrypted for most people and police can get messages without the actual phone.
3. iCloud E2EE backup fight in UK was mostly because of 2. as people started to opt-in for encryption.
That doesn't make any sense. Why did uk want to start a fight over icloud E2EE backups (opt-in) but not whatsapp E2EE backups (opt-in)?
Default iCloud backup always included WhatsApp too, even if it was disabled in the app or the app used encrypted backups. And many other things, so it was not only about WhatsApp. Even for WhatsApp alone, it was slightly more useful.
Of 10,000 received messages, perhaps 2 are spam?
Nor were social security numbers.
But I suppose one could start a service, so you could pay them to look up a 3rd party's tax returns...
What I find fascinating is that people paid for privacy. Yes, indeed, people paid several dollars extra per month to maintain an unlisted/unpublished phone number. Today very few people are willing to pay actual money for privacy.
Everyone I knew while growing up was in the white pages (parents) with home address, not just phone number.
The early “FreeNet” and ISPs like Compuserve used anonymous usernames. Personalized email addresses came later…
Oddly, because we can’t even pay for privacy today, it appears as if nobody cares. Sure, still desirable but not even an option at any cost.
How we got from there to here is troubling.
Both free and paid online services make extensive use of 3rd party tracking services.
Sure, if one has a flip phone and lives as one did in the 1980s…
My entire PII is already leaked elsewhere in other breaches.
https://news.ycombinator.com/item?id=1692122
https://news.ycombinator.com/item?id=25662215
I get this is snarky and it being HN I'll now collect my downvotes, but really, I can't not hear Whatsapp without also thinking Facebook; the entire product may as well be a security vuln
To be honest, I couldn’t imagine a word more related than "open source". Isn’t that junction literally the acronym F/LOSS?