Funny timing, we just published an RFC on a contact-matching scheme that's intended to be resilient to this kind of enumeration attack at the cost of reduced discovery. We're soliciting feedback so now's a good time to share the link - https://docs.bsky.app/blog/contact-import-rfc
What concerns me is that only thing stopping someone from enumerating the entire set of all possible phone numbers is effective server-side rate limiting. What are the current rate limits for each messenger, and are they sufficient? (per this paper, probably not)
> highlights the risks associated with the centralization of instant messaging services
That seems to be the takeaway.
Centralization of just about anything is an issue, not just messaging.
However, users still want/need the kinds of advantages that we get from monopolies/centralization, and implementing them in distributed systems is really hard.
I wonder if there was ever a path for solving this early, like, we made email and that proliferated, if only we'd landed on better identity management first, would we be in some digital messaging utopia.
Would the world be better if we'd been saying "whats your public key?" instead of "whats your email?" in the 90s?
Specifically, the endpoint allowed asking if a given phone number had a whatsapp account. Scaled up to ~all phone numbers. That doesn't seem like a major vulnerability.
We are here because a overwhelming majority of people accept to subject themselves to freedom-oppressing software. If a significant number of people rejected it, that would lower the burden for the rest to also reject it.
Stallman was right.
Stallman was right, but some times I think this is bigger than just software. This is about power, and software is just one of many tools. Stallman was right, but I wonder if his ideas would have resonated more widely if they had been framed in terms of power.
But what if most people don't actually care about these freedoms? What if we're only a small minority? Should we force our views on others through laws and regulations or should we, as free individuals, choose not to use these applications and let others make their own free choices?
While I agree a lot of open source messenger services have terrible UX, I don't think "the masses" care about it that much. What matters is what everyone else is using. People are using Snapchat or Instagram Messenger and I haven't seen a single person who likes the UX of those services - they just use it and put up with hatred for it because that's what all their friends use.
I think this is purely first mover advantage. We get stuck with bad products simply because those were the first products on the market. It is difficult to change them once everyone uses them. The same applies to the adoption of IT on the banking industry. Now we are stuck with COBOL and systems that are hard to migrate without damaging the economy.
This is not a security vulnerability, it’s been documented in the user interface for years. That’s why I have no profile picture and no status. You clearly opt into “everyone” viewing it, and it’s obvious this it is literally anyone, because when you add a new contact, you simply enter their phone number and can see their profile picture and status. It doesn’t take a leap of imagination to enumerate that for the space of valid phone numbers.
Yes, and those people didn't get their profile pictures exposed through this phone number enumeration. If they had, then maybe it would have qualified as a security breach.
The most interesting vulnerability is the reuse of cryptographic keys, some of it apparently by design, like when transferring one's account to a new number - this can apparently be used to correlate identities despite the change of phone number.
Also, from examining the published data set I found it interesting that there are only five WhatsApp users registered in North Korea. I wonder who they are.
One of the most regrettable things. Humans should have had the most popular private chat application. But the figure of 19 billion USD in 2014 blinded Brian Acton. What he does with Signal now can never compensate for the trust of billions of users being sold to Mark Zuckerberg.
But you had the option of having an unlisted or unpublished phone number. To give one datapoint, in Los Angeles in the 1980s about half of all numbers were unlisted. I would expect that the unlisted rate was much higher in big cities like L.A. compared to the rest of the country.
What I find fascinating is that people paid for privacy. Yes, indeed, people paid several dollars extra per month to maintain an unlisted/unpublished phone number. Today very few people are willing to pay actual money for privacy.
WhatsApp has avoided the pressure of E2EE backdoors and whatever politics because they were never needed.
1. They collect all the metadata in unencrypted format and link it to phone numbers, making a huge social graph.
2. Backups are not encrypted by default and enabling of them is pushed. So the messages were never actually encrypted for most people and police can get messages without the actual phone.
3. iCloud E2EE backup fight in UK was mostly because of 2. as people started to opt-in for encryption.
> That doesn't make any sense. Why did uk want to start a fight over icloud E2EE backups (opt-in) but not whatsapp E2EE backups (opt-in)?
Default iCloud backup always included WhatsApp too, even if it was disabled in the app or the app used encrypted backups. And many other things, so it was not only about WhatsApp. Even for WhatsApp alone, it was slightly more useful.
That’s not gonna happen because the whole idea is to link your real identity to the digital one, which is why you should never trust any company that refuses to give you an alternative option to the phone number.
I get this is snarky and it being HN I'll now collect my downvotes, but really, I can't not hear Whatsapp without also thinking Facebook; the entire product may as well be a security vuln
If you can identify a person in a country where WA shouldn't be available by sniffing out their profile, it may even end up being a deadly security vulnerability, but I don't blame someone on a tech bro forum for making a edgy comment, it's all in the game.
The vulnerability here is that the contact discovery endpoint could be abused to enumerate all WhatsApp users en-masse.
It's still quite possible to discover a single or small set of existing WhatsApp users based on their phone number. So in your scenario the risk still exists, it's just more work to enumerate everyone. Everyone should still assume their phone number can be linked to their WhatsApp account.
>Everyone should still assume their phone number can be linked to their WhatsApp account.
But this has always been the case, the phone numbers are public, and phone numbers are the public key to whatsapp accounts.
Also you always could check a specific number to see if it is a whatsapp user. It is certainly an issue if a single actor can query 500 million users in a matter of minutes, and there seems to be some additional information per account like what device they are in. But these seem relatively minor.
we agree. Just pointing out to the parent commenter that in their scenario the risk hasn't fundamentally changed. Just before the vuln was fixed it was a bit easier.
In a kinetic warfare or authoritarian context, this is rather a life safety vulnerability. In the industry, we call this the crossover from Information Security (InfoSec) to Operational Security (OpSec), where a digital flaw becomes a Kinetic Threat.
Right, but if a country being at war or in a authoritarian regime is a precondition for the vulnerability to pose a threat, it's not really a scenario that would warrant a high scoring in some vulnerability scoring system. For sure it's a weakness and would score higher if the purpose of the technology were military.
But since this is a civilian application and not military, it doesn't seem sensible to rate vulnerabilities according to military use. The intended scope of the application makes a huge difference legally and operationally and should be triaged accordingly.
To create a whatsapp acccount, you need to authenticate with sms first. If the country is that strict around whatsapp, this alone would bring you trouble.
> If you can identify a person in a country where WA shouldn't be available by sniffing out their profile, it may even end up being a deadly security vulnerability,
What are you talking about? Like what is even the mechanism for your concern?
This is an open endpoint / not a part of the design that is intended to be confidential. If you suspected any particular individual you could always check if their phone number had a WA account.
Is it edgy? I find it somewhat nuanced and sensible. What is a bit proper of pseudoanonymous tech bro forums is people larping as military grade security analysts in a forum because they are unable to live out that dream in an actual scenario where they have any power on.
If the application is actively distributed in a country and their usage is permitted by their Terms of Service, then yes Whatsapp is liable for the security of their users in that context. If however the application is not actively distributed in that country, and there are active measures like geolocalization (and asking the user what country they are from during signup) to avoid serving such countries, then usage in those countries is outside the scope of Whatsapp.
Furthermore Whatsapp is a civilian app and is not designed or guaranteed for military usage, it's outside the scope of whatsapp.
Can the technique be used as one tool of many (including a bullet) in order to kill someone? Yes, is this a deadly security vulnerability? No, of course not, that's reaching, I'm not sure what would compel these exaggerations, maybe the larping, maybe its a general hatred towards whatsapp and you just jump on any opportunity to release your pent up anger.
It's worth noting that there's a gap between the security capabilities of whatsapp and the security capabilities they are legally required to have. Whatsapp will no doubt patch this small issue and keep that gap, but WA as it stands is one of the most secure and widely used applications in the world, has had an almost impollute historical record which is why billions of users trust the application with personal and professional secrets.
P.S: Also, you always could find out if a phone number is a whatsapp user individually, just add them on whatsapp and try to message them.
What concerns me is that only thing stopping someone from enumerating the entire set of all possible phone numbers is effective server-side rate limiting. What are the current rate limits for each messenger, and are they sufficient? (per this paper, probably not)
That seems to be the takeaway.
Centralization of just about anything is an issue, not just messaging.
However, users still want/need the kinds of advantages that we get from monopolies/centralization, and implementing them in distributed systems is really hard.
Would the world be better if we'd been saying "whats your public key?" instead of "whats your email?" in the 90s?
Stallman was right.
Stallman was right, but some times I think this is bigger than just software. This is about power, and software is just one of many tools. Stallman was right, but I wonder if his ideas would have resonated more widely if they had been framed in terms of power.
I couldn’t imagine a word more related than open source to be honest. Isn’t that junction literally the acronym F/LOSS?
Also, from examining the published data set I found it interesting that there are only five WhatsApp users registered in North Korea. I wonder who they are.
What I find fascinating is that people paid for privacy. Yes, indeed, people paid several dollars extra per month to maintain an unlisted/unpublished phone number. Today very few people are willing to pay actual money for privacy.
Everyone I knew while growing up was in the white pages (parents) with home address, not just phone number.
The early “FreeNet” and ISPs like Compuserve used anonymous usernames. Personalized email addresses came later…
Oddly, because we can’t even pay for privacy today, it appears as if nobody cares. Sure, still desirable but not even an option at any cost.
How we got from there to here is troubling.
Never gonna happen.
1. They collect all the metadata in unencrypted format and link it to phone numbers, making a huge social graph.
2. Backups are not encrypted by default and enabling of them is pushed. So the messages were never actually encrypted for most people and police can get messages without the actual phone.
3. iCloud E2EE backup fight in UK was mostly because of 2. as people started to opt-in for encryption.
That doesn't make any sense. Why did uk want to start a fight over icloud E2EE backups (opt-in) but not whatsapp E2EE backups (opt-in)?
Default iCloud backup always included WhatsApp too, even if it was disabled in the app or the app used encrypted backups. And many other things, so it was not only about WhatsApp. Even for WhatsApp alone, it was slightly more useful.
Nor were social security numbers.
https://news.ycombinator.com/item?id=1692122
https://news.ycombinator.com/item?id=25662215
I get this is snarky and it being HN I'll now collect my downvotes, but really, I can't not hear Whatsapp without also thinking Facebook; the entire product may as well be a security vuln
It's still quite possible to discover a single or small set of existing WhatsApp users based on their phone number. So in your scenario the risk still exists, it's just more work to enumerate everyone. Everyone should still assume their phone number can be linked to their WhatsApp account.
But this has always been the case, the phone numbers are public, and phone numbers are the public key to whatsapp accounts.
Also you always could check a specific number to see if it is a whatsapp user. It is certainly an issue if a single actor can query 500 million users in a matter of minutes, and there seems to be some additional information per account like what device they are in. But these seem relatively minor.
But since this is a civilian application and not military, it doesn't seem sensible to rate vulnerabilities according to military use. The intended scope of the application makes a huge difference legally and operationally and should be triaged accordingly.
What are you talking about? Like what is even the mechanism for your concern?
This is an open endpoint / not a part of the design that is intended to be confidential. If you suspected any particular individual you could always check if their phone number had a WA account.
If the application is actively distributed in a country and their usage is permitted by their Terms of Service, then yes Whatsapp is liable for the security of their users in that context. If however the application is not actively distributed in that country, and there are active measures like geolocalization (and asking the user what country they are from during signup) to avoid serving such countries, then usage in those countries is outside the scope of Whatsapp.
Furthermore Whatsapp is a civilian app and is not designed or guaranteed for military usage, it's outside the scope of whatsapp.
Can the technique be used as one tool of many (including a bullet) in order to kill someone? Yes, is this a deadly security vulnerability? No, of course not, that's reaching, I'm not sure what would compel these exaggerations, maybe the larping, maybe its a general hatred towards whatsapp and you just jump on any opportunity to release your pent up anger.
It's worth noting that there's a gap between the security capabilities of whatsapp and the security capabilities they are legally required to have. Whatsapp will no doubt patch this small issue and keep that gap, but WA as it stands is one of the most secure and widely used applications in the world, has had an almost impollute historical record which is why billions of users trust the application with personal and professional secrets.
P.S: Also, you always could find out if a phone number is a whatsapp user individually, just add them on whatsapp and try to message them.