| ▲ | Researchers discover security vulnerability in WhatsApp(univie.ac.at) |
| 168 points by KingNoLimit 8 hours ago | 50 comments |
| |
|
| ▲ | pfraze 5 hours ago | parent | next [-] |
| Funny timing, we just published an RFC on a contact-matching scheme that's intended to be resilient to this kind of enumeration attack at the cost of reduced discovery. We're soliciting feedback so now's a good time to share the link - https://docs.bsky.app/blog/contact-import-rfc |
|
| ▲ | amiga386 25 minutes ago | parent | prev | next [-] |
| Isn't this very similar to the 2020 paper that covered WhatsApp, Telegram and Signal? https://encrypto.de/news/contact-discovery What concerns me is that only thing stopping someone from enumerating the entire set of all possible phone numbers is effective server-side rate limiting. What are the current rate limits for each messenger, and are they sufficient? (per this paper, probably not) |
|
| ▲ | ChrisMarshallNY 2 hours ago | parent | prev | next [-] |
| > highlights the risks associated with the centralization of instant messaging services That seems to be the takeaway. Centralization of just about anything is an issue, not just messaging. However, users still want/need the kinds of advantages that we get from monopolies/centralization, and implementing them in distributed systems is really hard. |
| |
| ▲ | GCUMstlyHarmls 25 minutes ago | parent [-] | | I wonder if there was ever a path for solving this early, like, we made email and that proliferated, if only we'd landed on better identity management first, would we be in some digital messaging utopia. Would the world be better if we'd been saying "whats your public key?" instead of "whats your email?" in the 90s? |
|
|
| ▲ | loeg 3 hours ago | parent | prev | next [-] |
| Specifically, the endpoint allowed asking if a given phone number had a whatsapp account. Scaled up to ~all phone numbers. That doesn't seem like a major vulnerability. |
|
| ▲ | lolidiots 6 minutes ago | parent | prev | next [-] |
| Did they discover it’s not e2e? |
|
| ▲ | InfoSecErik 5 hours ago | parent | prev | next [-] |
| I once participated in some work like this, https://en.wikipedia.org/wiki/List_of_mobile_telephone_prefi... was super helpful. I couldn't find a link to libphonegen that they were referencing. |
|
| ▲ | bfkwlfkjf 4 hours ago | parent | prev | next [-] |
| We are here because a overwhelming majority of people accept to subject themselves to freedom-oppressing software. If a significant number of people rejected it, that would lower the burden for the rest to also reject it. Stallman was right. Stallman was right, but some times I think this is bigger than just software. This is about power, and software is just one of many tools. Stallman was right, but I wonder if his ideas would have resonated more widely if they had been framed in terms of power. |
| |
| ▲ | phyzix5761 an hour ago | parent | next [-] | | But what if most people don't actually care about these freedoms? What if we're only a small minority? Should we force our views on others through laws and regulations or should we, as free individuals, choose not to use these applications and let others make their own free choices? | |
| ▲ | GlacierFox 4 hours ago | parent | prev [-] | | State an open source alternative so I can explain to you why the masses think it's crap. | | |
| ▲ | flexagoon 3 hours ago | parent | next [-] | | While I agree a lot of open source messenger services have terrible UX, I don't think "the masses" care about it that much. What matters is what everyone else is using. People are using Snapchat or Instagram Messenger and I haven't seen a single person who likes the UX of those services - they just use it and put up with hatred for it because that's what all their friends use. | |
| ▲ | uriegas an hour ago | parent | prev | next [-] | | I think this is purely first mover advantage. We get stuck with bad products simply because those were the first products on the market. It is difficult to change them once everyone uses them. The same applies to the adoption of IT on the banking industry. Now we are stuck with COBOL and systems that are hard to migrate without damaging the economy. | |
| ▲ | bfkwlfkjf 3 hours ago | parent | prev [-] | | Open source has nothing to do with this conversation. | | |
| ▲ | nothrabannosir an hour ago | parent [-] | | I’ll bite : how does open source have nothing to do with a comment discussing “freedom oppressing software” and “Stallman”? I couldn’t imagine a word more related than open source to be honest. Isn’t that junction literally the acronym F/LOSS? |
|
|
|
|
| ▲ | chatmasta 3 hours ago | parent | prev | next [-] |
| This is not a security vulnerability, it’s been documented in the user interface for years. That’s why I have no profile picture and no status. You clearly opt into “everyone” viewing it, and it’s obvious this it is literally anyone, because when you add a new contact, you simply enter their phone number and can see their profile picture and status. It doesn’t take a leap of imagination to enumerate that for the space of valid phone numbers. |
| |
| ▲ | porridgeraisin an hour ago | parent [-] | | There is a way to show profile pictures to only contacts. It's a setting. | | |
| ▲ | chatmasta an hour ago | parent [-] | | Yes, and those people didn't get their profile pictures exposed through this phone number enumeration. If they had, then maybe it would have qualified as a security breach. |
|
|
|
| ▲ | ale42 7 hours ago | parent | prev | next [-] |
| A bit disappointing, I thought everybody knew it was possible to "enumerate" Whatsapp accounts? I was hoping for something more juicy like RCE... |
| |
| ▲ | 0cf8612b2e1e 5 hours ago | parent | next [-] | | The lack of rate limiting was surprising. | |
| ▲ | ruinin 7 hours ago | parent | prev [-] | | The most interesting vulnerability is the reuse of cryptographic keys, some of it apparently by design, like when transferring one's account to a new number - this can apparently be used to correlate identities despite the change of phone number. Also, from examining the published data set I found it interesting that there are only five WhatsApp users registered in North Korea. I wonder who they are. | | |
| ▲ | SweetSoftPillow 7 hours ago | parent | next [-] | | I'm almost 100% sure that one of them is the only North Korean Steam user. | |
| ▲ | jeingham 5 hours ago | parent | prev [-] | | I hope nobody tells Kim there are another four users. I'm not sure their prison system can handle anymore, pretty well booked up last I heard. |
|
|
|
| ▲ | entropoem 3 hours ago | parent | prev | next [-] |
| One of the most regrettable things. Humans should have had the most popular private chat application. But the figure of 19 billion USD in 2014 blinded Brian Acton. What he does with Signal now can never compensate for the trust of billions of users being sold to Mark Zuckerberg. |
|
| ▲ | zgk7iqea 5 hours ago | parent | prev | next [-] |
| Is phone number enumeration now considered a vulnerability? Really? |
| |
| ▲ | hekkle 4 hours ago | parent [-] | | I know, remember when the telco's just published those in books every year? | | |
| ▲ | alister 2 hours ago | parent | next [-] | | But you had the option of having an unlisted or unpublished phone number. To give one datapoint, in Los Angeles in the 1980s about half of all numbers were unlisted. I would expect that the unlisted rate was much higher in big cities like L.A. compared to the rest of the country. What I find fascinating is that people paid for privacy. Yes, indeed, people paid several dollars extra per month to maintain an unlisted/unpublished phone number. Today very few people are willing to pay actual money for privacy. | | |
| ▲ | BobbyTables2 28 minutes ago | parent [-] | | Very good point. Everyone I knew while growing up was in the white pages (parents) with home address, not just phone number. The early “FreeNet” and ISPs like Compuserve used anonymous usernames. Personalized email addresses came later… Oddly, because we can’t even pay for privacy today, it appears as if nobody cares. Sure, still desirable but not even an option at any cost. How we got from there to here is troubling. |
| |
| ▲ | dylan604 4 hours ago | parent | prev | next [-] | | funny thing is, there's probably a decent percentage of people here that don't remember this | |
| ▲ | austinjp 3 hours ago | parent | prev [-] | | Sarah Connor? |
|
|
|
| ▲ | londons_explore 6 hours ago | parent | prev | next [-] |
| The only fix to this is to replace phone numbers by secret 256 bit keys that are never reused... Never gonna happen. |
| |
| ▲ | nicce 6 hours ago | parent | next [-] | | WhatsApp has avoided the pressure of E2EE backdoors and whatever politics because they were never needed. 1. They collect all the metadata in unencrypted format and link it to phone numbers, making a huge social graph. 2. Backups are not encrypted by default and enabling of them is pushed. So the messages were never actually encrypted for most people and police can get messages without the actual phone. 3. iCloud E2EE backup fight in UK was mostly because of 2. as people started to opt-in for encryption. | | |
| ▲ | gruez 4 hours ago | parent [-] | | >3. iCloud E2EE backup fight in UK was mostly because of 2. as people started to opt-in for encryption. That doesn't make any sense. Why did uk want to start a fight over icloud E2EE backups (opt-in) but not whatsapp E2EE backups (opt-in)? | | |
| ▲ | nicce 3 hours ago | parent [-] | | > That doesn't make any sense. Why did uk want to start a fight over icloud E2EE backups (opt-in) but not whatsapp E2EE backups (opt-in)? Default iCloud backup always included WhatsApp too, even if it was disabled in the app or the app used encrypted backups. And many other things, so it was not only about WhatsApp. Even for WhatsApp alone, it was slightly more useful. |
|
| |
| ▲ | Sophira 6 hours ago | parent | prev | next [-] | | Phone numbers were never supposed to be secret. Nor were social security numbers. | | |
| ▲ | hdgvhicv 6 hours ago | parent | next [-] | | We used to put phone numbers and addresses in printed books and give them to everyone. | |
| ▲ | hsbauauvhabzb 4 hours ago | parent | prev [-] | | Phone numbers are treated as permanent even though they’re ephemeral. So here we are. |
| |
| ▲ | tamimio 6 hours ago | parent | prev [-] | | That’s not gonna happen because the whole idea is to link your real identity to the digital one, which is why you should never trust any company that refuses to give you an alternative option to the phone number. | | |
| ▲ | jojobas 5 hours ago | parent [-] | | But it's to combat spam, we swear! Because of course there is no spam in whatsapp! |
|
|
|
| ▲ | mlmonkey 7 hours ago | parent | prev | next [-] |
| "security vulnerability" .... |
|
| ▲ | alex1138 6 hours ago | parent | prev | next [-] |
| The security vuln is that it's owned by a bad faith actor https://news.ycombinator.com/item?id=1692122 https://news.ycombinator.com/item?id=25662215 I get this is snarky and it being HN I'll now collect my downvotes, but really, I can't not hear Whatsapp without also thinking Facebook; the entire product may as well be a security vuln |
|
| ▲ | TZubiri 7 hours ago | parent | prev [-] |
| Security vulnerability is a bit strong, but I don't blame news salesmen for making clickbait, it's all in the game |
| |
| ▲ | Krasnol 7 hours ago | parent [-] | | If you can identify a person in a country where WA shouldn't be available by sniffing out their profile, it may even end up being a deadly security vulnerability, but I don't blame someone on a tech bro forum for making a edgy comment, it's all in the game. | | |
| ▲ | varenc 3 hours ago | parent | next [-] | | The vulnerability here is that the contact discovery endpoint could be abused to enumerate all WhatsApp users en-masse. It's still quite possible to discover a single or small set of existing WhatsApp users based on their phone number. So in your scenario the risk still exists, it's just more work to enumerate everyone. Everyone should still assume their phone number can be linked to their WhatsApp account. | | |
| ▲ | TZubiri 3 hours ago | parent [-] | | >Everyone should still assume their phone number can be linked to their WhatsApp account. But this has always been the case, the phone numbers are public, and phone numbers are the public key to whatsapp accounts. Also you always could check a specific number to see if it is a whatsapp user. It is certainly an issue if a single actor can query 500 million users in a matter of minutes, and there seems to be some additional information per account like what device they are in. But these seem relatively minor. | | |
| ▲ | varenc 2 hours ago | parent [-] | | we agree. Just pointing out to the parent commenter that in their scenario the risk hasn't fundamentally changed. Just before the vuln was fixed it was a bit easier. |
|
| |
| ▲ | perch56 6 hours ago | parent | prev | next [-] | | In a kinetic warfare or authoritarian context, this is rather a life safety vulnerability. In the industry, we call this the crossover from Information Security (InfoSec) to Operational Security (OpSec), where a digital flaw becomes a Kinetic Threat. | | |
| ▲ | TZubiri 3 hours ago | parent [-] | | Right, but if a country being at war or in a authoritarian regime is a precondition for the vulnerability to pose a threat, it's not really a scenario that would warrant a high scoring in some vulnerability scoring system. For sure it's a weakness and would score higher if the purpose of the technology were military. But since this is a civilian application and not military, it doesn't seem sensible to rate vulnerabilities according to military use. The intended scope of the application makes a huge difference legally and operationally and should be triaged accordingly. |
| |
| ▲ | j16sdiz 5 hours ago | parent | prev | next [-] | | To create a whatsapp acccount, you need to authenticate with sms first. If the country is that strict around whatsapp, this alone would bring you trouble. | |
| ▲ | loeg 3 hours ago | parent | prev | next [-] | | > If you can identify a person in a country where WA shouldn't be available by sniffing out their profile, it may even end up being a deadly security vulnerability, What are you talking about? Like what is even the mechanism for your concern? This is an open endpoint / not a part of the design that is intended to be confidential. If you suspected any particular individual you could always check if their phone number had a WA account. | |
| ▲ | TZubiri 3 hours ago | parent | prev [-] | | Is it edgy? I find it somewhat nuanced and sensible. What is a bit proper of pseudoanonymous tech bro forums is people larping as military grade security analysts in a forum because they are unable to live out that dream in an actual scenario where they have any power on. If the application is actively distributed in a country and their usage is permitted by their Terms of Service, then yes Whatsapp is liable for the security of their users in that context. If however the application is not actively distributed in that country, and there are active measures like geolocalization (and asking the user what country they are from during signup) to avoid serving such countries, then usage in those countries is outside the scope of Whatsapp. Furthermore Whatsapp is a civilian app and is not designed or guaranteed for military usage, it's outside the scope of whatsapp. Can the technique be used as one tool of many (including a bullet) in order to kill someone? Yes, is this a deadly security vulnerability? No, of course not, that's reaching, I'm not sure what would compel these exaggerations, maybe the larping, maybe its a general hatred towards whatsapp and you just jump on any opportunity to release your pent up anger. It's worth noting that there's a gap between the security capabilities of whatsapp and the security capabilities they are legally required to have. Whatsapp will no doubt patch this small issue and keep that gap, but WA as it stands is one of the most secure and widely used applications in the world, has had an almost impollute historical record which is why billions of users trust the application with personal and professional secrets. P.S: Also, you always could find out if a phone number is a whatsapp user individually, just add them on whatsapp and try to message them. |
|
|
