this is just... enumeration of phone numbers?
how is this a 'security vulnerability'? an issue maybe, but it's not a vulnerability as that implies faulty code; this is a documented feature.
I agree with this, but not the rest. It is not a security vulnerability, and I am not sure it being a privacy-sensitive endpoint either. Like someone pointed out, if you check one of your contacts and they have WhatsApp, you can tell, and you can message them from there. This is a feature.
I agree that there should be rate limiting of some sort.
Why isn't it a privacy and security problem if it is just done for a single phone number?
What is this was not WhatsApp, but it was a website or service dedicated to something unethical or illegal or just extremely embarrassing? Something that could ruin a marriage or career if it was known someone was a registered user? Would it be OK if someone could punch in phone numbers to find out who is registered on these sites?
What if someone automated and correlated this information to produce a profile for a phone number of all the shady/embarrassing services that phone number is associated with?
they claim to have achieved a rate of 7,000/s, which is roughly 25M/h
i do agree that is an absurd amount, especially when paired with the lack of rate limiting as discussed in their paper.
> "[...] Moreover, we did not experience any prohibitive rate-limiting. With our query rate of 7,000 phone numbers per second (and session), we could confirm 3.5 B phone numbers registered on WhatsApp [...]"
prior to my initial comment, i was under the impression they had encountered ratelimiting and bypassed it, it appears this initial assumption was incorrect.
i agree that it is ridiculous, though i faulter on calling it a vulnerability as in my eyes that term is specifically for unintended side affects / exploitation.
lxgr|3 months ago
johnisgood|3 months ago
I agree that there should be rate limiting of some sort.
patja|3 months ago
What is this was not WhatsApp, but it was a website or service dedicated to something unethical or illegal or just extremely embarrassing? Something that could ruin a marriage or career if it was known someone was a registered user? Would it be OK if someone could punch in phone numbers to find out who is registered on these sites?
What if someone automated and correlated this information to produce a profile for a phone number of all the shady/embarrassing services that phone number is associated with?
xwolfi|3 months ago
abigailphoebe|3 months ago
they claim to have achieved a rate of 7,000/s, which is roughly 25M/h
i do agree that is an absurd amount, especially when paired with the lack of rate limiting as discussed in their paper.
> "[...] Moreover, we did not experience any prohibitive rate-limiting. With our query rate of 7,000 phone numbers per second (and session), we could confirm 3.5 B phone numbers registered on WhatsApp [...]"
prior to my initial comment, i was under the impression they had encountered ratelimiting and bypassed it, it appears this initial assumption was incorrect.
i agree that it is ridiculous, though i faulter on calling it a vulnerability as in my eyes that term is specifically for unintended side affects / exploitation.