By plugging tens of billions of phone numbers into WhatsApp’s contact discovery tool, researchers found “the most extensive exposure of phone numbers” ever—along with profile photos and more.
I’m guessing the next biggest example of this exact same flaw was when this happened on Facebook like 8 years ago. Who could possibly have seen this coming?
Anyone with an ounce of security knowledge and understanding
When WIRED asked Meta what rate-limiting measures it instituted over the last eight years to prevent the technique Kloeze demonstrated, the company responded that it has, in fact, implemented evolving defenses against scrapers, including rate-limiting and machine-learning techniques to ban scrapers. Yet the University of Vienna researchers were able to not only replicate Kloeze’s work, but take it further, actually enumerating all 3.5 billion registered WhatsApp phone numbers—far more than the service had in 2017.
A generous rate limit of 1 query per second would have taken 111 years to churn through 3.5 billion users (with 100% success rate on guesses). Meta’s rate limit seems to be “the rate at which our servers can query our contact database”.
The answer is obviously less regulations and more tax cuts for the CEOs of these companies, right?