Funny timing, we just published an RFC on a contact-matching scheme that's intended to be resilient to this kind of enumeration attack at the cost of reduced discovery. We're soliciting feedback so now's a good time to share the link - https://docs.bsky.app/blog/contact-import-rfc
WhatsApp has avoided the pressure of E2EE backdoors and whatever politics because they were never needed.
1. They collect all the metadata in unencrypted format and link it to phone numbers, making a huge social graph.
2. Backups are not encrypted by default and enabling of them is pushed. So the messages were never actually encrypted for most people and police can get messages without the actual phone.
3. iCloud E2EE backup fight in UK was mostly because of 2. as people started to opt-in for encryption.
That’s not gonna happen because the whole idea is to link your real identity to the digital one, which is why you should never trust any company that refuses to give you an alternative option to the phone number.
The most interesting vulnerability is the reuse of cryptographic keys, some of it apparently by design, like when transferring one's account to a new number - this can apparently be used to correlate identities despite the change of phone number.
Also, from examining the published data set I found it interesting that there are only five WhatsApp users registered in North Korea. I wonder who they are.
I get this is snarky and it being HN I'll now collect my downvotes, but really, I can't not hear Whatsapp without also thinking Facebook; the entire product may as well be a security vuln
If you can identify a person in a country where WA shouldn't be available by sniffing out their profile, it may even end up being a deadly security vulnerability, but I don't blame someone on a tech bro forum for making a edgy comment, it's all in the game.
In a kinetic warfare or authoritarian context, this is rather a life safety vulnerability. In the industry, we call this the crossover from Information Security (InfoSec) to Operational Security (OpSec), where a digital flaw becomes a Kinetic Threat.
Funny timing, we just published an RFC on a contact-matching scheme that's intended to be resilient to this kind of enumeration attack at the cost of reduced discovery. We're soliciting feedback so now's a good time to share the link - https://docs.bsky.app/blog/contact-import-rfc
I once participated in some work like this, https://en.wikipedia.org/wiki/List_of_mobile_telephone_prefi... was super helpful. I couldn't find a link to libphonegen that they were referencing.
The only fix to this is to replace phone numbers by secret 256 bit keys that are never reused...
Never gonna happen.
WhatsApp has avoided the pressure of E2EE backdoors and whatever politics because they were never needed.
1. They collect all the metadata in unencrypted format and link it to phone numbers, making a huge social graph.
2. Backups are not encrypted by default and enabling of them is pushed. So the messages were never actually encrypted for most people and police can get messages without the actual phone.
3. iCloud E2EE backup fight in UK was mostly because of 2. as people started to opt-in for encryption.
Phone numbers were never supposed to be secret.
Nor were social security numbers.
We used to put phone numbers and addresses in printed books and give them to everyone.
That’s not gonna happen because the whole idea is to link your real identity to the digital one, which is why you should never trust any company that refuses to give you an alternative option to the phone number.
A bit disappointing, I thought everybody knew it was possible to "enumerate" Whatsapp accounts? I was hoping for something more juicy like RCE...
The most interesting vulnerability is the reuse of cryptographic keys, some of it apparently by design, like when transferring one's account to a new number - this can apparently be used to correlate identities despite the change of phone number.
Also, from examining the published data set I found it interesting that there are only five WhatsApp users registered in North Korea. I wonder who they are.
I'm almost 100% sure that one of them is the only North Korean Steam user.
Is phone number enumeration now considered a vulnerability? Really?
"security vulnerability" ....
The security vuln is that it's owned by a bad faith actor
https://news.ycombinator.com/item?id=1692122
https://news.ycombinator.com/item?id=25662215
I get this is snarky and it being HN I'll now collect my downvotes, but really, I can't not hear Whatsapp without also thinking Facebook; the entire product may as well be a security vuln
Security vulnerability is a bit strong, but I don't blame news salesmen for making clickbait, it's all in the game
If you can identify a person in a country where WA shouldn't be available by sniffing out their profile, it may even end up being a deadly security vulnerability, but I don't blame someone on a tech bro forum for making a edgy comment, it's all in the game.
In a kinetic warfare or authoritarian context, this is rather a life safety vulnerability. In the industry, we call this the crossover from Information Security (InfoSec) to Operational Security (OpSec), where a digital flaw becomes a Kinetic Threat.
Kinetic Threat, thats a good one, I'm going to kinetically threaten your face!