Funny timing, we just published an RFC on a contact-matching scheme that's intended to be resilient to this kind of enumeration attack at the cost of reduced discovery. We're soliciting feedback so now's a good time to share the link - https://docs.bsky.app/blog/contact-import-rfc
Related to Zero Knowledge Proofs, the advantage is that phone numbers need never be shared in cleartext, preempting whole classes of attacks. However, could be overkill for your needs, and I am not sure how well current techniques would scale.
The RFC addresses security, but does not mention anything about privacy.
I think the scheme ultimately boils down to trusting the server/instance.
It would be great if users don't have to share the actual number with the server,
a hash or something like that but that would make it impossible to verify the number and verification is required to prevent spoofing.
Another way maybe is to have a trusted 3rd party (something like EFF, LetsEncrypt) that can be used by users to validate their numbers and applications can get the hashes from there.
phone numbers aren’t unique enough for hashes, a lookup table would not be that much effort
Ah its great you bring this up, it's timely as my app is adding contacts syncing soon and I want to do it in a secure/private way. If you choose to go ahead with this, are there any plans to make it open source? ty!
Yeah, it will be
[flagged]
It's a retirement home for elder millennials who just happen to be insane. Not the same thing.
[flagged]
solid burn
Ok, let’s not have the is Bluesky decentralised discussion again. Kudos to Bluesky’s PR efforts to use complex technology to basically sell themselves as whatever people want to hear (like NFTs but social media). There are a number of X/Threads clones out there, but I’d take a group chat on some relatively secure messaging platform over “social media” any day. Even better if it’s something I can self host or join into one from many servers (remember IRC? Good times).
We really need to rethink this “one corp owns all the keys and all servers” setup.
I’m just glad we didn’t have the conversation again
> Even better if it’s something I can self host or join into one from many servers (remember IRC? Good times).
What's stopping you? Even threads can connect to BlueSky
> Even threads can connect to BlueSky
I thought Threads only interoperates with Mastodon/the fediverse in some limited capacity. Did I miss some Bluesky integration announcement?
You just need a bridge, as with connecting any decentralized platforms
so matrix? (which has it's own issues, but will hopefully overcome them eventually)
Yup
> highlights the risks associated with the centralization of instant messaging services
Any cervices, really
From the article:
> Nearly half of all phone numbers that appeared in the 2021 Facebook data leak of 500 million phone numbers (caused by a scraping incident in 2018) were still active on WhatsApp. This highlights the enduring risks for leaked numbers (e.g., being targeted in scam calls) associated with such exposures.
Fascinating to me as this seems to imply that a phone number has a half-life of about 4-5 years (unless the fact of the leak persuaded a significant number of people to change their number, which I suppose is unlikely?)
I was always amazed when discussing with Americans who have kept their phone numbers since they were kids, there was a time I would change phone number every year
Swapping my phone number every year in the US would be an annoying as hell. Tons of services use phone number as 2FA or a backup recovery. (Including a lot of banks) I use SMS with some people and that would cut contact with them. Same direction if they changed numbers.
Keeping the same number is more convenient for the people that you do want calling you.
I imagine that for some, it also contributes to a sense of identity, much the same way that a mailing address might.
I'm one of those, as far as I can tell, I've had the same cellphone number since at least college, possibly high school.
Where do you live, and why do cell phone numbers cycle so quickly?
Because it doesn't matter. Or it didn't in the past, now it's a security nightmare to not have your number anymore and risk someone else having it before you changed it everywhere.
Yeah, I've had the same number since about 2001. It's nice as I've moved since then so any number that calls from my area code is definitely spam, although that's not really an issue now that my phone doesn't ring for unknown numbers.
I'm 38 and have the same number I had since 1999.
> highlights the risks associated with the centralization of instant messaging services
That seems to be the takeaway.
Centralization of just about anything is an issue, not just messaging.
However, users still want/need the kinds of advantages that we get from monopolies/centralization, and implementing them in distributed systems is really hard.
I wonder if there was ever a path for solving this early, like, we made email and that proliferated, if only we'd landed on better identity management first, would we be in some digital messaging utopia.
Would the world be better if we'd been saying "whats your public key?" instead of "whats your email?" in the 90s?
Maybe, but, in practice, email has been basically centralized too. For most people, it's just too convenient to get a gmail account for free, and forget about any maintenance headache.
But that only started when gmail launched with a deal that was too good to refuse (a mailbox that was huge for the time, and grew bigger over time). Before that most people just used the free email account they got from their ISP. That also comes without maintenance headache for the user and is at least somewhat less centralized
Yeah but you change your ISP more often (pricing reasons, moving to a different state or country) than your email provider.
The public keys won't be stable as we would need to rotate them. We need both a stable identity and a proof of that identity. Security is not very user friendly and would have made the digital tech even more fringe. One of the reasons email and web took off was its comparative ease of use.
For messaging i think early skype had it sorted more or less , decentralised - widely used and intuitive identity.
If it had been allowed to evolve identity maybe like email(matrix or even bsky) got federated with custom servers/identities and handles that could still interoperate, would be nice. Instead MS bought it and ran it into the ground.
I think tech companies would've eventually attempted to build some walls around that and monetise it. Regardless of technology, the challenge is someone wants to "take this to the next level" - as long as it's investor driven, it remains "open" only as long as that brings more money or community good will
I wonder what happened to Mozilla Persona.
That was super nice.
https://simplex.chat/ Seems to take security and decentralization pretty far while keeping it convenient enough.
I have more confidence in Meta than the government.
I mean this as expression of technical feasibility and capability to achieve risk reduction with technical measures in an adequate amount of time.
Remember, that for the rest of the non-technical units out there the “digitization” and “IT implementation projects” fail on a massive scale.
Shit in shit out.
Whatever we trash FAANG for, any government has way more blowout.
You trust it more than your government. Which stands to reason at the moment if you are in the US. But there are competent, more trustworthy governments in other parts of the world. And other companies people might trust more than Meta.
Decentralization allows people to choose who they trust. Or rather requires them to really
> You trust it more than your government. Which stands to reason at the moment if you are in the US.
No, it really doesn't, and not because I have any faith in the current US government, just because I've seen the way Meta relates to it.
just read the matrix thread on hn homepage.
yeah
Specifically, the endpoint allowed asking if a given phone number had a whatsapp account. Scaled up to ~all phone numbers. That doesn't seem like a major vulnerability.
Why is it OK to allow enumeration of accounts with a given phone number, when it is generally considered to be a privacy and security violation to allow someone to enter email addresses and confirm if they have an account with a service or app?
I've never understood this idea that phone numbers shouldn't be protected the same as email addresses or other personal information.
It's for contact discovery. It's actually pretty similar for email? If you enter an email address in your mail client and send an email to it, in most configurations you'll get some kind of notification if the recipient doesn't exist.
Email, of course, has an unlimited number of possible addresses. Phone numbers are a dense space with limited parameter length. So it is easier to enumerate all phone numbers.
I’ve been receiving lots of SMS lately claiming to come from “WatApp”, “whtas app” and similar instead of a phone number.
I assume it can be related to this leak? Knowing someone uses a service can increase the effectiveness of targeted phishing.
Interestingly it’s harder to block these senders that do not advertise a number on sms.
No. Firstly, there was no "leak", the data was never shared. The experiment was conducted by researchers then the data set destroyed. Secondly, there's 3.5b WhatsApp accounts. They just send the same message to everyone and the majority of numbers will have an account regardless.
It's a feature for many of us, it is for me, cause when I input a new phone number in my contacts (like let's say a plumber's phone number I found on the internet) I first go to WhatsApp to check if they've got a profile there, in which case I contact them directly using WhatsApp, not via voice-call/SMS.
Occasionally is probably fine. In bulk is where I imagine scam companies get interested.
This doesn't seem like much of a leak. It sounds like users created public profiles that would be shown to anyone who entered their phone number while searching for other users.
The researchers managed to get a list of users and the public information in their profile by looking up random numbers, but all they got was the public information users put in their profiles.
Since facebook didn't rate limit the researchers (or anyone else) it allowed them to collect a big dataset of publicly avilable information, so shame on facebook (as if they had any), but it's not like people's secret/private data was exposed. Nobody should be upset that the photo they uploaded and put on the internet as their public profile picture gets seen by somebody else. People who don't want their "sexual orientation, political views, drug use" or whatever known shouldn't put that in their profile where anyone and everyone can see it.
One of the most regrettable things. Humans should have had the most popular private chat application. But the figure of 19 billion USD in 2014 blinded Brian Acton. What he does with Signal now can never compensate for the trust of billions of users being sold to Mark Zuckerberg.
The EU had one job, and it was to block this deal. It was obvious that a company with no income and no real monetization model is not worth 19 Billion, and that Facebook is after the users. But no, they let it go through with some bs conditions. But hey, at least they forced apple to use usb-c, that made a real difference
this is just... enumeration of phone numbers?
how is this a 'security vulnerability'? an issue maybe, but it's not a vulnerability as that implies faulty code; this is a documented feature.
A complete lack of rate limiting at a privacy-sensitive endpoint is arguably a fault.
I agree with this, but not the rest. It is not a security vulnerability, and I am not sure it being a privacy-sensitive endpoint either. Like someone pointed out, if you check one of your contacts and they have WhatsApp, you can tell, and you can message them from there. This is a feature.
I agree that there should be rate limiting of some sort.
Scale matters a lot for privacy.
For example, while everybody can physically go to your house and look at it from the street, somebody setting a webcam up and pointing it at the same house from the same vantage point would be a very different story and is illegal in many jurisdictions as a result.
If Whatsapp is banned in the country and you could get sent to jail for using it, I'd want the fact that I'm using Whatsapp to be kept private.
Sure, they probably should implement it to be able to make it private, but then again, I do not trust Meta and I do not think you should trust it either, so if you get sent to jail for using it, you should probably be wary of it either way.
There are many alternatives to WhatsApp, you may want to try them. Briar, Ricochet Refresh, Session, Matrix (Element), Jabber (with OMEMO and whatnot), among many others.
Why isn't it a privacy and security problem if it is just done for a single phone number?
What is this was not WhatsApp, but it was a website or service dedicated to something unethical or illegal or just extremely embarrassing? Something that could ruin a marriage or career if it was known someone was a registered user? Would it be OK if someone could punch in phone numbers to find out who is registered on these sites?
What if someone automated and correlated this information to produce a profile for a phone number of all the shady/embarrassing services that phone number is associated with?
100M per hour... it's quite ridiculous no ?
just read the pre-print paper.
they claim to have achieved a rate of 7,000/s, which is roughly 25M/h
i do agree that is an absurd amount, especially when paired with the lack of rate limiting as discussed in their paper.
> "[...] Moreover, we did not experience any prohibitive rate-limiting. With our query rate of 7,000 phone numbers per second (and session), we could confirm 3.5 B phone numbers registered on WhatsApp [...]"
prior to my initial comment, i was under the impression they had encountered ratelimiting and bypassed it, it appears this initial assumption was incorrect.
i agree that it is ridiculous, though i faulter on calling it a vulnerability as in my eyes that term is specifically for unintended side affects / exploitation.
> i was under the impression they had encountered ratelimiting and bypassed it
Wouldn't that be the exact same privacy problem in effect? What's the practical difference between ineffective and no rate limiting?
ehh, not really.
assuming a reasonable ratelimit, say 100 lookups per day (maybe some exceptions if the lookup results in an account that already has you in contacts, idk) - this would significantly reduce the amount of scraping that can be done.
contact lookup is a required function of whatsapp, the issue this paper highlights is that there is no protection against mass scraping
I don't know if it's related but this morning I realized that I'd been logged out of my Whatsapp account. When I tried to log back in, I couldn't get Whatsapp to confirm my phone number. I didn't get the SMS they sent for the recovery code. Thankfully "call me" option worked for receiving the recovery code. But then I was asked a 2fa PIN which I (unfortunately) never had set up. "Forgot my PIN" also didn't send an email to my account (which I'm pretty sure I also hadn't set up anyway).
Currently I'm waiting to hear from Whatsapp support and/or the 7 day waiting time to be over to reset my account. It is bizarre that I am not able to recover my account when I still own my phone number (I can still receive SMS on it).
I would consider myself very cautious about clicking suspicious links, of course one can never be 100% sure. This was very disconcerting.
As a reminder for all Whatsapp users, please set up your 2FA PINs and recovery emails.
It would be insane if you could recover an account only having access to a phone number, since phone numbers can be redistributed to other people if you stop paying for your phone plan and then someone who gets your number will also inherit all your contacts and chats
Your contacts could still end up messaging the new owner of the number inadvertently if you don't warn them before losing the number or out of band through. It seems WhatsApp doesn't has no warning if such a owner change happened. I believe the new owner would inherit your group memberships too, but not the group chat history.
What concerns me is that only thing stopping someone from enumerating the entire set of all possible phone numbers is effective server-side rate limiting. What are the current rate limits for each messenger, and are they sufficient? (per this paper, probably not)
This is not a security vulnerability, it’s been documented in the user interface for years. That’s why I have no profile picture and no status. You clearly opt into “everyone” viewing it, and it’s obvious this it is literally anyone, because when you add a new contact, you simply enter their phone number and can see their profile picture and status. It doesn’t take a leap of imagination to enumerate that for the space of valid phone numbers.
There is a way to show profile pictures to only contacts. It's a setting.
Yes, and those people didn't get their profile pictures exposed through this phone number enumeration. If they had, then maybe it would have qualified as a security breach.
> Yes, and those people didn't get their profile pictures exposed through this phone number enumeration.
They did and this was not enumeration, did you read post?
The post with the headline “Worldwide enumeration of accounts was possible?”
OK... but it's not phone number enumeration. You need to give it a phone number to check if whatsapp acc is registered for it. So you need to have a collection of phone numbers first. If you have a collection of all phone numebrs in the world then you could enumerate whatsapp accounts.
And yes the pictures were leaked in the process.
It's trivial to enumerate all the phone numbers in the world.
exactly. to claim enumerating phone numbers is a whatsapp bug is stupid. and to say profile pictures were not revealed = not reading tfa.
"The accessible data items used in the study are the same that are public for anyone who knows a user's phone number and consist of: phone number, public keys, timestamps, and, if set to public, about text and profile picture." Source: TFA, which I read.
From my understanding the accessible data items meant they got them through the bug? Maybe I read wrong
A bit disappointing, I thought everybody knew it was possible to "enumerate" Whatsapp accounts? I was hoping for something more juicy like RCE...
The lack of rate limiting was surprising.
Yes, indeed, I wouldn't have expected to be possible to enumerate all of them in a short time from a single IP.
The most interesting vulnerability is the reuse of cryptographic keys, some of it apparently by design, like when transferring one's account to a new number - this can apparently be used to correlate identities despite the change of phone number.
Also, from examining the published data set I found it interesting that there are only five WhatsApp users registered in North Korea. I wonder who they are.
I'm almost 100% sure that one of them is the only North Korean Steam user.
I hope nobody tells Kim there are another four users. I'm not sure their prison system can handle anymore, pretty well booked up last I heard.
If anything, the other four are likely to also be Kims.
I’ve actually thought of doing this myself, but there isn’t really much value in enumerating active phone numbers. Lest you run a full scale scam operation cold calling people to phish for their banking info.
My entire PII is already leaked elsewhere in other breaches.
The only fix to this is to replace phone numbers by secret 256 bit keys that are never reused...
Never gonna happen.
WhatsApp has avoided the pressure of E2EE backdoors and whatever politics because they were never needed.
1. They collect all the metadata in unencrypted format and link it to phone numbers, making a huge social graph.
2. Backups are not encrypted by default and enabling of them is pushed. So the messages were never actually encrypted for most people and police can get messages without the actual phone.
3. iCloud E2EE backup fight in UK was mostly because of 2. as people started to opt-in for encryption.
>3. iCloud E2EE backup fight in UK was mostly because of 2. as people started to opt-in for encryption.
That doesn't make any sense. Why did uk want to start a fight over icloud E2EE backups (opt-in) but not whatsapp E2EE backups (opt-in)?
> That doesn't make any sense. Why did uk want to start a fight over icloud E2EE backups (opt-in) but not whatsapp E2EE backups (opt-in)?
Default iCloud backup always included WhatsApp too, even if it was disabled in the app or the app used encrypted backups. And many other things, so it was not only about WhatsApp. Even for WhatsApp alone, it was slightly more useful.
Phone numbers were never supposed to be secret.
Nor were social security numbers.
We used to put phone numbers and addresses in printed books and give them to everyone.
I remember looking in a 1930's phone book for Zurich, and it even mentions the person's job (I guess for significant jobs like company owner)...
Norway still publishes everyone's tax returns.
But now you need to enter your own tax number to lookup other people's data, and they can see that you've been peeking.
But I suppose one could start a service, so you could pay them to look up a 3rd party's tax returns...
Phone numbers are treated as permanent even though they’re ephemeral. So here we are.
That’s not gonna happen because the whole idea is to link your real identity to the digital one, which is why you should never trust any company that refuses to give you an alternative option to the phone number.
But it's to combat spam, we swear! Because of course there is no spam in whatsapp!
Spam in WhatsApp is super low.
Of 10,000 received messages, perhaps 2 are spam?
[deleted]
Is phone number enumeration now considered a vulnerability? Really?
I know, remember when the telco's just published those in books every year?
But you had the option of having an unlisted or unpublished phone number. To give one datapoint, in Los Angeles in the 1980s about half of all numbers were unlisted. I would expect that the unlisted rate was much higher in big cities like L.A. compared to the rest of the country.
What I find fascinating is that people paid for privacy. Yes, indeed, people paid several dollars extra per month to maintain an unlisted/unpublished phone number. Today very few people are willing to pay actual money for privacy.
Very good point.
Everyone I knew while growing up was in the white pages (parents) with home address, not just phone number.
The early “FreeNet” and ISPs like Compuserve used anonymous usernames. Personalized email addresses came later…
Oddly, because we can’t even pay for privacy today, it appears as if nobody cares. Sure, still desirable but not even an option at any cost.
How we got from there to here is troubling.
What do you mean we can’t pay for privacy and it’s not an option at any cost? Just don’t use big tech services, you pay for them with your data. Use Threema instead, or similar. It is a paid service with focus on privacy.
funny thing is, there's probably a decent percentage of people here that don't remember this
Sarah Connor?
I can't imagine the scrutiny you must face when your product becomes so mainstream that researchers literally work on identifying security vulnerabilities.
If this is a security vulnerability, then these guys just documented their exploitation of said vulnerability. Sounds like a crime.
Proper research would be to identify an issue, write up the issue, conduct a handful of tests, report the issue. Improper research is enumerate the entire input space and gather as much data as you can from the target.
Did they discover it’s not e2e?
lol
"security vulnerability" ....
Security vulnerability is a bit strong, but I don't blame news salesmen for making clickbait, it's all in the game
If you can identify a person in a country where WA shouldn't be available by sniffing out their profile, it may even end up being a deadly security vulnerability, but I don't blame someone on a tech bro forum for making a edgy comment, it's all in the game.
In a kinetic warfare or authoritarian context, this is rather a life safety vulnerability. In the industry, we call this the crossover from Information Security (InfoSec) to Operational Security (OpSec), where a digital flaw becomes a Kinetic Threat.
Right, but if a country being at war or in a authoritarian regime is a precondition for the vulnerability to pose a threat, it's not really a scenario that would warrant a high scoring in some vulnerability scoring system. For sure it's a weakness and would score higher if the purpose of the technology were military.
But since this is a civilian application and not military, it doesn't seem sensible to rate vulnerabilities according to military use. The intended scope of the application makes a huge difference legally and operationally and should be triaged accordingly.
[flagged]
Governments in these countries have full and absolute control over ISPs and phone operators. If they didn’t already know someone is using whatsapp, they are not totalitarian governments to begin with. And who in their right mind would use whatsapp in those countries? There are much better and safer alternatives.
The vulnerability here is that the contact discovery endpoint could be abused to enumerate all WhatsApp users en-masse.
It's still quite possible to discover a single or small set of existing WhatsApp users based on their phone number. So in your scenario the risk still exists, it's just more work to enumerate everyone. Everyone should still assume their phone number can be linked to their WhatsApp account.
>Everyone should still assume their phone number can be linked to their WhatsApp account.
But this has always been the case, the phone numbers are public, and phone numbers are the public key to whatsapp accounts.
Also you always could check a specific number to see if it is a whatsapp user. It is certainly an issue if a single actor can query 500 million users in a matter of minutes, and there seems to be some additional information per account like what device they are in. But these seem relatively minor.
we agree. Just pointing out to the parent commenter that in their scenario the risk hasn't fundamentally changed. Just before the vuln was fixed it was a bit easier.
To create a whatsapp acccount, you need to authenticate with sms first. If the country is that strict around whatsapp, this alone would bring you trouble.
> If you can identify a person in a country where WA shouldn't be available by sniffing out their profile, it may even end up being a deadly security vulnerability,
What are you talking about? Like what is even the mechanism for your concern?
This is an open endpoint / not a part of the design that is intended to be confidential. If you suspected any particular individual you could always check if their phone number had a WA account.
Is it edgy? I find it somewhat nuanced and sensible. What is a bit proper of pseudoanonymous tech bro forums is people larping as military grade security analysts in a forum because they are unable to live out that dream in an actual scenario where they have any power on.
If the application is actively distributed in a country and their usage is permitted by their Terms of Service, then yes Whatsapp is liable for the security of their users in that context. If however the application is not actively distributed in that country, and there are active measures like geolocalization (and asking the user what country they are from during signup) to avoid serving such countries, then usage in those countries is outside the scope of Whatsapp.
Furthermore Whatsapp is a civilian app and is not designed or guaranteed for military usage, it's outside the scope of whatsapp.
Can the technique be used as one tool of many (including a bullet) in order to kill someone? Yes, is this a deadly security vulnerability? No, of course not, that's reaching, I'm not sure what would compel these exaggerations, maybe the larping, maybe its a general hatred towards whatsapp and you just jump on any opportunity to release your pent up anger.
It's worth noting that there's a gap between the security capabilities of whatsapp and the security capabilities they are legally required to have. Whatsapp will no doubt patch this small issue and keep that gap, but WA as it stands is one of the most secure and widely used applications in the world, has had an almost impollute historical record which is why billions of users trust the application with personal and professional secrets.
P.S: Also, you always could find out if a phone number is a whatsapp user individually, just add them on whatsapp and try to message them.
Wow so much unrelated drama combined with pretty interesting advertisement.
Do you work for Meta?
People don't use WhatsApp because it's so secure. In certain countries people started using it because it was the first app that was cheaper than SMS and now they use it because everybody else is still using it. There is no other significant reason.
They have a history of security issues going back to 2011 when you could take over other peoples account. Today is just the last story of this ugly and leaking brother to Signal. The actually "most secure" app out there.
[deleted]
The security vuln is that it's owned by a bad faith actor
I get this is snarky and it being HN I'll now collect my downvotes, but really, I can't not hear Whatsapp without also thinking Facebook; the entire product may as well be a security vuln
[flagged]
But what if most people don't actually care about these freedoms? What if we're only a small minority? Should we force our views on others through laws and regulations or should we, as free individuals, choose not to use these applications and let others make their own free choices?
Most people don't really want freedom of speech. Until they REALLY _NEED_ freedom of speech.
State an open source alternative so I can explain to you why the masses think it's crap.
While I agree a lot of open source messenger services have terrible UX, I don't think "the masses" care about it that much. What matters is what everyone else is using. People are using Snapchat or Instagram Messenger and I haven't seen a single person who likes the UX of those services - they just use it and put up with hatred for it because that's what all their friends use.
MSN Messenger had tons of open-source clients back when it was the popular IM network, and it was a weekend or two of work to write a client for it.
I think this is purely first mover advantage. We get stuck with bad products simply because those were the first products on the market. It is difficult to change them once everyone uses them. The same applies to the adoption of IT on the banking industry. Now we are stuck with COBOL and systems that are hard to migrate without damaging the economy.
Open source has nothing to do with this conversation.
I’ll bite : how does open source have nothing to do with a comment discussing “freedom oppressing software” and “Stallman”?
To be honest, I couldn’t imagine a word more related than "open source". Isn’t that junction literally the acronym F/LOSS?
Funny timing, we just published an RFC on a contact-matching scheme that's intended to be resilient to this kind of enumeration attack at the cost of reduced discovery. We're soliciting feedback so now's a good time to share the link - https://docs.bsky.app/blog/contact-import-rfc
I was peripherally looking into this for a similar problem domain: https://en.wikipedia.org/wiki/Private_set_intersection
Related to Zero Knowledge Proofs, the advantage is that phone numbers need never be shared in cleartext, preempting whole classes of attacks. However, could be overkill for your needs, and I am not sure how well current techniques would scale.
The RFC addresses security, but does not mention anything about privacy. I think the scheme ultimately boils down to trusting the server/instance.
It would be great if users don't have to share the actual number with the server, a hash or something like that but that would make it impossible to verify the number and verification is required to prevent spoofing.
Another way maybe is to have a trusted 3rd party (something like EFF, LetsEncrypt) that can be used by users to validate their numbers and applications can get the hashes from there.
phone numbers aren’t unique enough for hashes, a lookup table would not be that much effort
Ah its great you bring this up, it's timely as my app is adding contacts syncing soon and I want to do it in a secure/private way. If you choose to go ahead with this, are there any plans to make it open source? ty!
Yeah, it will be
[flagged]
It's a retirement home for elder millennials who just happen to be insane. Not the same thing.
[flagged]
solid burn
Ok, let’s not have the is Bluesky decentralised discussion again. Kudos to Bluesky’s PR efforts to use complex technology to basically sell themselves as whatever people want to hear (like NFTs but social media). There are a number of X/Threads clones out there, but I’d take a group chat on some relatively secure messaging platform over “social media” any day. Even better if it’s something I can self host or join into one from many servers (remember IRC? Good times).
We really need to rethink this “one corp owns all the keys and all servers” setup.
I’m just glad we didn’t have the conversation again
> Even threads can connect to BlueSky
I thought Threads only interoperates with Mastodon/the fediverse in some limited capacity. Did I miss some Bluesky integration announcement?
You just need a bridge, as with connecting any decentralized platforms
https://fed.brid.gy/
so matrix? (which has it's own issues, but will hopefully overcome them eventually)
Yup
> highlights the risks associated with the centralization of instant messaging services
Any cervices, really
From the article:
> Nearly half of all phone numbers that appeared in the 2021 Facebook data leak of 500 million phone numbers (caused by a scraping incident in 2018) were still active on WhatsApp. This highlights the enduring risks for leaked numbers (e.g., being targeted in scam calls) associated with such exposures.
Fascinating to me as this seems to imply that a phone number has a half-life of about 4-5 years (unless the fact of the leak persuaded a significant number of people to change their number, which I suppose is unlikely?)
I was always amazed when discussing with Americans who have kept their phone numbers since they were kids, there was a time I would change phone number every year
Swapping my phone number every year in the US would be an annoying as hell. Tons of services use phone number as 2FA or a backup recovery. (Including a lot of banks) I use SMS with some people and that would cut contact with them. Same direction if they changed numbers.
Keeping the same number is more convenient for the people that you do want calling you.
I imagine that for some, it also contributes to a sense of identity, much the same way that a mailing address might.
I'm one of those, as far as I can tell, I've had the same cellphone number since at least college, possibly high school.
Where do you live, and why do cell phone numbers cycle so quickly?
Because it doesn't matter. Or it didn't in the past, now it's a security nightmare to not have your number anymore and risk someone else having it before you changed it everywhere.
Yeah, I've had the same number since about 2001. It's nice as I've moved since then so any number that calls from my area code is definitely spam, although that's not really an issue now that my phone doesn't ring for unknown numbers.
I'm 38 and have the same number I had since 1999.
> highlights the risks associated with the centralization of instant messaging services
That seems to be the takeaway.
Centralization of just about anything is an issue, not just messaging.
However, users still want/need the kinds of advantages that we get from monopolies/centralization, and implementing them in distributed systems is really hard.
I wonder if there was ever a path for solving this early, like, we made email and that proliferated, if only we'd landed on better identity management first, would we be in some digital messaging utopia.
Would the world be better if we'd been saying "whats your public key?" instead of "whats your email?" in the 90s?
Maybe, but, in practice, email has been basically centralized too. For most people, it's just too convenient to get a gmail account for free, and forget about any maintenance headache.
But that only started when gmail launched with a deal that was too good to refuse (a mailbox that was huge for the time, and grew bigger over time). Before that most people just used the free email account they got from their ISP. That also comes without maintenance headache for the user and is at least somewhat less centralized
Yeah but you change your ISP more often (pricing reasons, moving to a different state or country) than your email provider.
The public keys won't be stable as we would need to rotate them. We need both a stable identity and a proof of that identity. Security is not very user friendly and would have made the digital tech even more fringe. One of the reasons email and web took off was its comparative ease of use.
For messaging i think early skype had it sorted more or less , decentralised - widely used and intuitive identity. If it had been allowed to evolve identity maybe like email(matrix or even bsky) got federated with custom servers/identities and handles that could still interoperate, would be nice. Instead MS bought it and ran it into the ground.
I think tech companies would've eventually attempted to build some walls around that and monetise it. Regardless of technology, the challenge is someone wants to "take this to the next level" - as long as it's investor driven, it remains "open" only as long as that brings more money or community good will
I wonder what happened to Mozilla Persona.
That was super nice.
https://simplex.chat/ Seems to take security and decentralization pretty far while keeping it convenient enough.
I have more confidence in Meta than the government.
I mean this as expression of technical feasibility and capability to achieve risk reduction with technical measures in an adequate amount of time.
Remember, that for the rest of the non-technical units out there the “digitization” and “IT implementation projects” fail on a massive scale.
Shit in shit out.
Whatever we trash FAANG for, any government has way more blowout.
You trust it more than your government. Which stands to reason at the moment if you are in the US. But there are competent, more trustworthy governments in other parts of the world. And other companies people might trust more than Meta.
Decentralization allows people to choose who they trust. Or rather requires them to really
> You trust it more than your government. Which stands to reason at the moment if you are in the US.
No, it really doesn't, and not because I have any faith in the current US government, just because I've seen the way Meta relates to it.
just read the matrix thread on hn homepage.
yeah
Specifically, the endpoint allowed asking if a given phone number had a whatsapp account. Scaled up to ~all phone numbers. That doesn't seem like a major vulnerability.
Why is it OK to allow enumeration of accounts with a given phone number, when it is generally considered to be a privacy and security violation to allow someone to enter email addresses and confirm if they have an account with a service or app?
I've never understood this idea that phone numbers shouldn't be protected the same as email addresses or other personal information.
It's for contact discovery. It's actually pretty similar for email? If you enter an email address in your mail client and send an email to it, in most configurations you'll get some kind of notification if the recipient doesn't exist.
Email, of course, has an unlimited number of possible addresses. Phone numbers are a dense space with limited parameter length. So it is easier to enumerate all phone numbers.
I’ve been receiving lots of SMS lately claiming to come from “WatApp”, “whtas app” and similar instead of a phone number.
I assume it can be related to this leak? Knowing someone uses a service can increase the effectiveness of targeted phishing.
Interestingly it’s harder to block these senders that do not advertise a number on sms.
No. Firstly, there was no "leak", the data was never shared. The experiment was conducted by researchers then the data set destroyed. Secondly, there's 3.5b WhatsApp accounts. They just send the same message to everyone and the majority of numbers will have an account regardless.
It's a feature for many of us, it is for me, cause when I input a new phone number in my contacts (like let's say a plumber's phone number I found on the internet) I first go to WhatsApp to check if they've got a profile there, in which case I contact them directly using WhatsApp, not via voice-call/SMS.
Occasionally is probably fine. In bulk is where I imagine scam companies get interested.
This doesn't seem like much of a leak. It sounds like users created public profiles that would be shown to anyone who entered their phone number while searching for other users. The researchers managed to get a list of users and the public information in their profile by looking up random numbers, but all they got was the public information users put in their profiles.
Since facebook didn't rate limit the researchers (or anyone else) it allowed them to collect a big dataset of publicly avilable information, so shame on facebook (as if they had any), but it's not like people's secret/private data was exposed. Nobody should be upset that the photo they uploaded and put on the internet as their public profile picture gets seen by somebody else. People who don't want their "sexual orientation, political views, drug use" or whatever known shouldn't put that in their profile where anyone and everyone can see it.
One of the most regrettable things. Humans should have had the most popular private chat application. But the figure of 19 billion USD in 2014 blinded Brian Acton. What he does with Signal now can never compensate for the trust of billions of users being sold to Mark Zuckerberg.
The EU had one job, and it was to block this deal. It was obvious that a company with no income and no real monetization model is not worth 19 Billion, and that Facebook is after the users. But no, they let it go through with some bs conditions. But hey, at least they forced apple to use usb-c, that made a real difference
this is just... enumeration of phone numbers? how is this a 'security vulnerability'? an issue maybe, but it's not a vulnerability as that implies faulty code; this is a documented feature.
A complete lack of rate limiting at a privacy-sensitive endpoint is arguably a fault.
I agree with this, but not the rest. It is not a security vulnerability, and I am not sure it being a privacy-sensitive endpoint either. Like someone pointed out, if you check one of your contacts and they have WhatsApp, you can tell, and you can message them from there. This is a feature.
I agree that there should be rate limiting of some sort.
Scale matters a lot for privacy.
For example, while everybody can physically go to your house and look at it from the street, somebody setting a webcam up and pointing it at the same house from the same vantage point would be a very different story and is illegal in many jurisdictions as a result.
If Whatsapp is banned in the country and you could get sent to jail for using it, I'd want the fact that I'm using Whatsapp to be kept private.
Sure, they probably should implement it to be able to make it private, but then again, I do not trust Meta and I do not think you should trust it either, so if you get sent to jail for using it, you should probably be wary of it either way.
There are many alternatives to WhatsApp, you may want to try them. Briar, Ricochet Refresh, Session, Matrix (Element), Jabber (with OMEMO and whatnot), among many others.
Why isn't it a privacy and security problem if it is just done for a single phone number?
What is this was not WhatsApp, but it was a website or service dedicated to something unethical or illegal or just extremely embarrassing? Something that could ruin a marriage or career if it was known someone was a registered user? Would it be OK if someone could punch in phone numbers to find out who is registered on these sites?
What if someone automated and correlated this information to produce a profile for a phone number of all the shady/embarrassing services that phone number is associated with?
100M per hour... it's quite ridiculous no ?
just read the pre-print paper.
they claim to have achieved a rate of 7,000/s, which is roughly 25M/h
i do agree that is an absurd amount, especially when paired with the lack of rate limiting as discussed in their paper.
> "[...] Moreover, we did not experience any prohibitive rate-limiting. With our query rate of 7,000 phone numbers per second (and session), we could confirm 3.5 B phone numbers registered on WhatsApp [...]"
prior to my initial comment, i was under the impression they had encountered ratelimiting and bypassed it, it appears this initial assumption was incorrect.
i agree that it is ridiculous, though i faulter on calling it a vulnerability as in my eyes that term is specifically for unintended side affects / exploitation.
> i was under the impression they had encountered ratelimiting and bypassed it
Wouldn't that be the exact same privacy problem in effect? What's the practical difference between ineffective and no rate limiting?
ehh, not really.
assuming a reasonable ratelimit, say 100 lookups per day (maybe some exceptions if the lookup results in an account that already has you in contacts, idk) - this would significantly reduce the amount of scraping that can be done.
contact lookup is a required function of whatsapp, the issue this paper highlights is that there is no protection against mass scraping
I don't know if it's related but this morning I realized that I'd been logged out of my Whatsapp account. When I tried to log back in, I couldn't get Whatsapp to confirm my phone number. I didn't get the SMS they sent for the recovery code. Thankfully "call me" option worked for receiving the recovery code. But then I was asked a 2fa PIN which I (unfortunately) never had set up. "Forgot my PIN" also didn't send an email to my account (which I'm pretty sure I also hadn't set up anyway).
Currently I'm waiting to hear from Whatsapp support and/or the 7 day waiting time to be over to reset my account. It is bizarre that I am not able to recover my account when I still own my phone number (I can still receive SMS on it).
I would consider myself very cautious about clicking suspicious links, of course one can never be 100% sure. This was very disconcerting.
As a reminder for all Whatsapp users, please set up your 2FA PINs and recovery emails.
It would be insane if you could recover an account only having access to a phone number, since phone numbers can be redistributed to other people if you stop paying for your phone plan and then someone who gets your number will also inherit all your contacts and chats
Your contacts could still end up messaging the new owner of the number inadvertently if you don't warn them before losing the number or out of band through. It seems WhatsApp doesn't has no warning if such a owner change happened. I believe the new owner would inherit your group memberships too, but not the group chat history.
Isn't this very similar to the 2020 paper that covered WhatsApp, Telegram and Signal? https://encrypto.de/news/contact-discovery
What concerns me is that only thing stopping someone from enumerating the entire set of all possible phone numbers is effective server-side rate limiting. What are the current rate limits for each messenger, and are they sufficient? (per this paper, probably not)
I once participated in some work like this, https://en.wikipedia.org/wiki/List_of_mobile_telephone_prefi... was super helpful. I couldn't find a link to libphonegen that they were referencing.
This is not a security vulnerability, it’s been documented in the user interface for years. That’s why I have no profile picture and no status. You clearly opt into “everyone” viewing it, and it’s obvious this it is literally anyone, because when you add a new contact, you simply enter their phone number and can see their profile picture and status. It doesn’t take a leap of imagination to enumerate that for the space of valid phone numbers.
There is a way to show profile pictures to only contacts. It's a setting.
Yes, and those people didn't get their profile pictures exposed through this phone number enumeration. If they had, then maybe it would have qualified as a security breach.
> Yes, and those people didn't get their profile pictures exposed through this phone number enumeration.
They did and this was not enumeration, did you read post?
The post with the headline “Worldwide enumeration of accounts was possible?”
OK... but it's not phone number enumeration. You need to give it a phone number to check if whatsapp acc is registered for it. So you need to have a collection of phone numbers first. If you have a collection of all phone numebrs in the world then you could enumerate whatsapp accounts.
And yes the pictures were leaked in the process.
It's trivial to enumerate all the phone numbers in the world.
exactly. to claim enumerating phone numbers is a whatsapp bug is stupid. and to say profile pictures were not revealed = not reading tfa.
"The accessible data items used in the study are the same that are public for anyone who knows a user's phone number and consist of: phone number, public keys, timestamps, and, if set to public, about text and profile picture." Source: TFA, which I read.
From my understanding the accessible data items meant they got them through the bug? Maybe I read wrong
A bit disappointing, I thought everybody knew it was possible to "enumerate" Whatsapp accounts? I was hoping for something more juicy like RCE...
The lack of rate limiting was surprising.
Yes, indeed, I wouldn't have expected to be possible to enumerate all of them in a short time from a single IP.
The most interesting vulnerability is the reuse of cryptographic keys, some of it apparently by design, like when transferring one's account to a new number - this can apparently be used to correlate identities despite the change of phone number.
Also, from examining the published data set I found it interesting that there are only five WhatsApp users registered in North Korea. I wonder who they are.
I'm almost 100% sure that one of them is the only North Korean Steam user.
I hope nobody tells Kim there are another four users. I'm not sure their prison system can handle anymore, pretty well booked up last I heard.
If anything, the other four are likely to also be Kims.
I’ve actually thought of doing this myself, but there isn’t really much value in enumerating active phone numbers. Lest you run a full scale scam operation cold calling people to phish for their banking info.
My entire PII is already leaked elsewhere in other breaches.
The only fix to this is to replace phone numbers by secret 256 bit keys that are never reused...
Never gonna happen.
WhatsApp has avoided the pressure of E2EE backdoors and whatever politics because they were never needed.
1. They collect all the metadata in unencrypted format and link it to phone numbers, making a huge social graph.
2. Backups are not encrypted by default and enabling of them is pushed. So the messages were never actually encrypted for most people and police can get messages without the actual phone.
3. iCloud E2EE backup fight in UK was mostly because of 2. as people started to opt-in for encryption.
>3. iCloud E2EE backup fight in UK was mostly because of 2. as people started to opt-in for encryption.
That doesn't make any sense. Why did uk want to start a fight over icloud E2EE backups (opt-in) but not whatsapp E2EE backups (opt-in)?
> That doesn't make any sense. Why did uk want to start a fight over icloud E2EE backups (opt-in) but not whatsapp E2EE backups (opt-in)?
Default iCloud backup always included WhatsApp too, even if it was disabled in the app or the app used encrypted backups. And many other things, so it was not only about WhatsApp. Even for WhatsApp alone, it was slightly more useful.
Phone numbers were never supposed to be secret.
Nor were social security numbers.
We used to put phone numbers and addresses in printed books and give them to everyone.
I remember looking in a 1930's phone book for Zurich, and it even mentions the person's job (I guess for significant jobs like company owner)...
Norway still publishes everyone's tax returns.
But now you need to enter your own tax number to lookup other people's data, and they can see that you've been peeking.
But I suppose one could start a service, so you could pay them to look up a 3rd party's tax returns...
Phone numbers are treated as permanent even though they’re ephemeral. So here we are.
That’s not gonna happen because the whole idea is to link your real identity to the digital one, which is why you should never trust any company that refuses to give you an alternative option to the phone number.
But it's to combat spam, we swear! Because of course there is no spam in whatsapp!
Spam in WhatsApp is super low.
Of 10,000 received messages, perhaps 2 are spam?
Is phone number enumeration now considered a vulnerability? Really?
I know, remember when the telco's just published those in books every year?
But you had the option of having an unlisted or unpublished phone number. To give one datapoint, in Los Angeles in the 1980s about half of all numbers were unlisted. I would expect that the unlisted rate was much higher in big cities like L.A. compared to the rest of the country.
What I find fascinating is that people paid for privacy. Yes, indeed, people paid several dollars extra per month to maintain an unlisted/unpublished phone number. Today very few people are willing to pay actual money for privacy.
Very good point.
Everyone I knew while growing up was in the white pages (parents) with home address, not just phone number.
The early “FreeNet” and ISPs like Compuserve used anonymous usernames. Personalized email addresses came later…
Oddly, because we can’t even pay for privacy today, it appears as if nobody cares. Sure, still desirable but not even an option at any cost.
How we got from there to here is troubling.
What do you mean we can’t pay for privacy and it’s not an option at any cost? Just don’t use big tech services, you pay for them with your data. Use Threema instead, or similar. It is a paid service with focus on privacy.
funny thing is, there's probably a decent percentage of people here that don't remember this
Sarah Connor?
I can't imagine the scrutiny you must face when your product becomes so mainstream that researchers literally work on identifying security vulnerabilities.
If this is a security vulnerability, then these guys just documented their exploitation of said vulnerability. Sounds like a crime.
Proper research would be to identify an issue, write up the issue, conduct a handful of tests, report the issue. Improper research is enumerate the entire input space and gather as much data as you can from the target.
Did they discover it’s not e2e?
lol
"security vulnerability" ....
Security vulnerability is a bit strong, but I don't blame news salesmen for making clickbait, it's all in the game
If you can identify a person in a country where WA shouldn't be available by sniffing out their profile, it may even end up being a deadly security vulnerability, but I don't blame someone on a tech bro forum for making a edgy comment, it's all in the game.
In a kinetic warfare or authoritarian context, this is rather a life safety vulnerability. In the industry, we call this the crossover from Information Security (InfoSec) to Operational Security (OpSec), where a digital flaw becomes a Kinetic Threat.
Right, but if a country being at war or in a authoritarian regime is a precondition for the vulnerability to pose a threat, it's not really a scenario that would warrant a high scoring in some vulnerability scoring system. For sure it's a weakness and would score higher if the purpose of the technology were military.
But since this is a civilian application and not military, it doesn't seem sensible to rate vulnerabilities according to military use. The intended scope of the application makes a huge difference legally and operationally and should be triaged accordingly.
[flagged]
Governments in these countries have full and absolute control over ISPs and phone operators. If they didn’t already know someone is using whatsapp, they are not totalitarian governments to begin with. And who in their right mind would use whatsapp in those countries? There are much better and safer alternatives.
The vulnerability here is that the contact discovery endpoint could be abused to enumerate all WhatsApp users en-masse.
It's still quite possible to discover a single or small set of existing WhatsApp users based on their phone number. So in your scenario the risk still exists, it's just more work to enumerate everyone. Everyone should still assume their phone number can be linked to their WhatsApp account.
>Everyone should still assume their phone number can be linked to their WhatsApp account.
But this has always been the case, the phone numbers are public, and phone numbers are the public key to whatsapp accounts.
Also you always could check a specific number to see if it is a whatsapp user. It is certainly an issue if a single actor can query 500 million users in a matter of minutes, and there seems to be some additional information per account like what device they are in. But these seem relatively minor.
we agree. Just pointing out to the parent commenter that in their scenario the risk hasn't fundamentally changed. Just before the vuln was fixed it was a bit easier.
To create a whatsapp acccount, you need to authenticate with sms first. If the country is that strict around whatsapp, this alone would bring you trouble.
> If you can identify a person in a country where WA shouldn't be available by sniffing out their profile, it may even end up being a deadly security vulnerability,
What are you talking about? Like what is even the mechanism for your concern?
This is an open endpoint / not a part of the design that is intended to be confidential. If you suspected any particular individual you could always check if their phone number had a WA account.
Is it edgy? I find it somewhat nuanced and sensible. What is a bit proper of pseudoanonymous tech bro forums is people larping as military grade security analysts in a forum because they are unable to live out that dream in an actual scenario where they have any power on.
If the application is actively distributed in a country and their usage is permitted by their Terms of Service, then yes Whatsapp is liable for the security of their users in that context. If however the application is not actively distributed in that country, and there are active measures like geolocalization (and asking the user what country they are from during signup) to avoid serving such countries, then usage in those countries is outside the scope of Whatsapp.
Furthermore Whatsapp is a civilian app and is not designed or guaranteed for military usage, it's outside the scope of whatsapp.
Can the technique be used as one tool of many (including a bullet) in order to kill someone? Yes, is this a deadly security vulnerability? No, of course not, that's reaching, I'm not sure what would compel these exaggerations, maybe the larping, maybe its a general hatred towards whatsapp and you just jump on any opportunity to release your pent up anger.
It's worth noting that there's a gap between the security capabilities of whatsapp and the security capabilities they are legally required to have. Whatsapp will no doubt patch this small issue and keep that gap, but WA as it stands is one of the most secure and widely used applications in the world, has had an almost impollute historical record which is why billions of users trust the application with personal and professional secrets.
P.S: Also, you always could find out if a phone number is a whatsapp user individually, just add them on whatsapp and try to message them.
Wow so much unrelated drama combined with pretty interesting advertisement.
Do you work for Meta?
People don't use WhatsApp because it's so secure. In certain countries people started using it because it was the first app that was cheaper than SMS and now they use it because everybody else is still using it. There is no other significant reason.
They have a history of security issues going back to 2011 when you could take over other peoples account. Today is just the last story of this ugly and leaking brother to Signal. The actually "most secure" app out there.
The security vuln is that it's owned by a bad faith actor
https://news.ycombinator.com/item?id=1692122
https://news.ycombinator.com/item?id=25662215
I get this is snarky and it being HN I'll now collect my downvotes, but really, I can't not hear Whatsapp without also thinking Facebook; the entire product may as well be a security vuln
[flagged]
But what if most people don't actually care about these freedoms? What if we're only a small minority? Should we force our views on others through laws and regulations or should we, as free individuals, choose not to use these applications and let others make their own free choices?
Most people don't really want freedom of speech. Until they REALLY _NEED_ freedom of speech.
State an open source alternative so I can explain to you why the masses think it's crap.
While I agree a lot of open source messenger services have terrible UX, I don't think "the masses" care about it that much. What matters is what everyone else is using. People are using Snapchat or Instagram Messenger and I haven't seen a single person who likes the UX of those services - they just use it and put up with hatred for it because that's what all their friends use.
MSN Messenger had tons of open-source clients back when it was the popular IM network, and it was a weekend or two of work to write a client for it.
I think this is purely first mover advantage. We get stuck with bad products simply because those were the first products on the market. It is difficult to change them once everyone uses them. The same applies to the adoption of IT on the banking industry. Now we are stuck with COBOL and systems that are hard to migrate without damaging the economy.
Open source has nothing to do with this conversation.
I’ll bite : how does open source have nothing to do with a comment discussing “freedom oppressing software” and “Stallman”?
To be honest, I couldn’t imagine a word more related than "open source". Isn’t that junction literally the acronym F/LOSS?
SimpleX is the way.