| ▲ | Krasnol 8 hours ago | ||||||||||||||||
If you can identify a person in a country where WA shouldn't be available by sniffing out their profile, it may even end up being a deadly security vulnerability, but I don't blame someone on a tech bro forum for making a edgy comment, it's all in the game. | |||||||||||||||||
| ▲ | varenc 4 hours ago | parent | next [-] | ||||||||||||||||
The vulnerability here is that the contact discovery endpoint could be abused to enumerate all WhatsApp users en-masse. It's still quite possible to discover a single or small set of existing WhatsApp users based on their phone number. So in your scenario the risk still exists, it's just more work to enumerate everyone. Everyone should still assume their phone number can be linked to their WhatsApp account. | |||||||||||||||||
| |||||||||||||||||
| ▲ | perch56 7 hours ago | parent | prev | next [-] | ||||||||||||||||
In a kinetic warfare or authoritarian context, this is rather a life safety vulnerability. In the industry, we call this the crossover from Information Security (InfoSec) to Operational Security (OpSec), where a digital flaw becomes a Kinetic Threat. | |||||||||||||||||
| |||||||||||||||||
| ▲ | j16sdiz 6 hours ago | parent | prev | next [-] | ||||||||||||||||
To create a whatsapp acccount, you need to authenticate with sms first. If the country is that strict around whatsapp, this alone would bring you trouble. | |||||||||||||||||
| ▲ | loeg 4 hours ago | parent | prev | next [-] | ||||||||||||||||
> If you can identify a person in a country where WA shouldn't be available by sniffing out their profile, it may even end up being a deadly security vulnerability, What are you talking about? Like what is even the mechanism for your concern? This is an open endpoint / not a part of the design that is intended to be confidential. If you suspected any particular individual you could always check if their phone number had a WA account. | |||||||||||||||||
| ▲ | TZubiri 4 hours ago | parent | prev [-] | ||||||||||||||||
Is it edgy? I find it somewhat nuanced and sensible. What is a bit proper of pseudoanonymous tech bro forums is people larping as military grade security analysts in a forum because they are unable to live out that dream in an actual scenario where they have any power on. If the application is actively distributed in a country and their usage is permitted by their Terms of Service, then yes Whatsapp is liable for the security of their users in that context. If however the application is not actively distributed in that country, and there are active measures like geolocalization (and asking the user what country they are from during signup) to avoid serving such countries, then usage in those countries is outside the scope of Whatsapp. Furthermore Whatsapp is a civilian app and is not designed or guaranteed for military usage, it's outside the scope of whatsapp. Can the technique be used as one tool of many (including a bullet) in order to kill someone? Yes, is this a deadly security vulnerability? No, of course not, that's reaching, I'm not sure what would compel these exaggerations, maybe the larping, maybe its a general hatred towards whatsapp and you just jump on any opportunity to release your pent up anger. It's worth noting that there's a gap between the security capabilities of whatsapp and the security capabilities they are legally required to have. Whatsapp will no doubt patch this small issue and keep that gap, but WA as it stands is one of the most secure and widely used applications in the world, has had an almost impollute historical record which is why billions of users trust the application with personal and professional secrets. P.S: Also, you always could find out if a phone number is a whatsapp user individually, just add them on whatsapp and try to message them. | |||||||||||||||||
| |||||||||||||||||