Security researchers successfully compiled a database containing 3.5 billion active mobile phone numbers and associated personal information from WhatsApp by exploiting a major security flaw in the platform’s contact-discovery application service. The vulnerability, stemming from a critical lack of usage controls, allowed the team to check over 100 million potential numbers per hour from a single server without detection or throttling. The collected data included phone numbers, public “about” text, device information, and 77 million profile images from a test of US users. Following the responsible disclosure of this failure, the company added traffic-limiting safeguards to the service to prevent future bulk collection efforts.
reply