| ▲ | varenc 4 hours ago | |||||||
The vulnerability here is that the contact discovery endpoint could be abused to enumerate all WhatsApp users en-masse. It's still quite possible to discover a single or small set of existing WhatsApp users based on their phone number. So in your scenario the risk still exists, it's just more work to enumerate everyone. Everyone should still assume their phone number can be linked to their WhatsApp account. | ||||||||
| ▲ | TZubiri 4 hours ago | parent [-] | |||||||
>Everyone should still assume their phone number can be linked to their WhatsApp account. But this has always been the case, the phone numbers are public, and phone numbers are the public key to whatsapp accounts. Also you always could check a specific number to see if it is a whatsapp user. It is certainly an issue if a single actor can query 500 million users in a matter of minutes, and there seems to be some additional information per account like what device they are in. But these seem relatively minor. | ||||||||
| ||||||||