Researchers discover security vulnerability in WhatsApp

Original Article ↗ Hacker News Discussion ↗

Scope and Severity of the “Vulnerability”

  • Many commenters argue this is mostly enumeration of existing, intentionally public data (phone number → WhatsApp account + public profile), not a classic “data breach.”
  • Others counter that the scale enabled by zero/weak rate limiting (thousands of lookups per second, billions of numbers) is precisely what turns a feature into a vulnerability.
  • There’s disagreement over terminology: some reserve “vulnerability” for unintended flaws or code bugs; others include obviously risky design and missing safeguards (like rate limiting).

Threat Models and Real-World Risk

  • One camp downplays the danger: phone numbers were never secret; anyone could already check if a given number has WhatsApp, and telcos/governments in authoritarian states already see everything.
  • Another highlights life-safety implications: being able to systematically identify WhatsApp users in countries where it’s banned could aid repression; they frame this as crossing from InfoSec to OpSec.
  • Counterargument: WhatsApp is a civilian app, not designed for military/underground use; if using it is jailable, you shouldn’t trust Meta at all.

Technical Aspects and Data Exposed

  • The exploited endpoint is WhatsApp’s contact discovery: “does this number have an account, and what public profile data is visible?”
  • Researchers report ~7,000 queries/second from a single session, enabling ~3.5B account confirmations and collection of public profile photos/status where set.
  • Some mention cryptographic key reuse and the ability to correlate identities when users change numbers as a more interesting long-term issue.

Privacy Expectations and Phone Numbers as Identifiers

  • Historically, phone numbers and addresses were often publicly listed; some participants recall paying extra for an unlisted number.
  • Today, numbers function as persistent identifiers and 2FA / recovery keys, so reassignment and leakage have greater consequences.
  • Debate over whether confirming account existence for a single number is already a privacy issue, especially for sensitive services, and how aggregating such confirmations across multiple services could be abused.

Centralization and Alternatives

  • Several comments see this as yet another illustration of risks from centralizing global messaging under one corporate actor.
  • Alternatives and mitigations discussed:
    • Using schemes like private set intersection or Bluesky’s contact-import RFC to reduce enumeration risk.
    • Moving away from phone numbers as primary identifiers to random, high-entropy IDs.
    • Decentralized or privacy-focused messengers (Matrix, SimpleX, Threema, etc.) as preferable models.