惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

量子位
小众软件
小众软件
S
SegmentFault 最新的问题
人人都是产品经理
人人都是产品经理
博客园 - 【当耐特】
博客园 - 三生石上(FineUI控件)
C
Check Point Blog
S
Schneier on Security
Microsoft Azure Blog
Microsoft Azure Blog
N
Netflix TechBlog - Medium
Engineering at Meta
Engineering at Meta
GbyAI
GbyAI
罗磊的独立博客
有赞技术团队
有赞技术团队
V
V2EX
Y
Y Combinator Blog
博客园 - 叶小钗
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
F
Fortinet All Blogs
W
WeLiveSecurity
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Stack Overflow Blog
Stack Overflow Blog
The Cloudflare Blog
S
Security @ Cisco Blogs
TaoSecurity Blog
TaoSecurity Blog
MyScale Blog
MyScale Blog
Hugging Face - Blog
Hugging Face - Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
www.infosecurity-magazine.com
www.infosecurity-magazine.com
PCI Perspectives
PCI Perspectives
H
Heimdal Security Blog
Schneier on Security
Schneier on Security
Security Latest
Security Latest
AWS News Blog
AWS News Blog
月光博客
月光博客
Security Archives - TechRepublic
Security Archives - TechRepublic
Recent Announcements
Recent Announcements
Google DeepMind News
Google DeepMind News
博客园 - Franky
Cisco Talos Blog
Cisco Talos Blog
T
Threat Research - Cisco Blogs
M
MIT News - Artificial intelligence
T
Troy Hunt's Blog
N
News and Events Feed by Topic
Cloudbric
Cloudbric
Scott Helme
Scott Helme
云风的 BLOG
云风的 BLOG
Attack and Defense Labs
Attack and Defense Labs

The Register - Security: Research

www.theregister.com Self-destructing Mistic backdoor linked to access broker selling corporate footholds to ransomware gangs PRC-linked spies hid inside medical and military networks for more than a year, snooping through Gmail and stealing data Nobody needs Mythos or 0-days to build a chaos-causing computer worm – free open source models work just fine ChatGPT blindly trusts browser content, turning the page into a payload Russia-linked threat group put ChatGPT to work from lure to payload Kids can bypass some age checks with a drawn-on mustache What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia ORNL builds more sensitive GPS interference detector Researchers find sabotage malware that may predate Stuxnet Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus Anthropic, Google, Microsoft paid AI bug bounties – quietly Security reserchers tricked Apple Intelligence into cursing Don't open that WhatsApp message, Microsoft warns Security boffins harvest bumper crop of API keys from web Lightning-fast exploits mean patch fast, says Cisco Talos AI agents are 'gullible' and easy to turn into your minions Smooth criminals talking their way into cloud environments, Google says Snoops plant info-stealing malware on iPhones, Google warns Cybercrime up 245% since the start of the Iran war Rogue AI agents can work together to hack systems Fake applicants are sending security-killing malware AI agent hacked McKinsey chatbot for read-write access Kaspersky: No signs Coruna iPhone exploit kit made by US Perplexity Comet browser hole was exploitable via cal invite DEF CON hackers 'fed up with government,' Jake Braun says DEF CON hackers 'fed up with government,' Jake Braun says Ransomware payments cratered in 2025 – attacks did not Ransomware payments cratered in 2025 – attacks did not Claude's collaboration tools allowed remote code execution AI takes a swing at online anonymity Fake 'interview' repos lure Next.js devs into running secret-stealing malware Threat intelligence supply chain is full of weak links AI agents abound, unbound by rules or safety disclosures RAT disguised as an RMM costs crims $300 a month Android malware taps Gemini to navigate infected devices Posting AI caricatures on social media is bad for security Payroll pirates conned the help desk, stole employee’s pay Microsoft boffins show LLM safety can be trained away For the price of Netflix, crooks can rent AI crime ops For the price of Netflix, crooks can rent AI crime ops Fast Pair, loose security: Bluetooth accessories open to silent hijack Fast Pair flaw exposes Bluetooth devices to hijacking A simple CodeBuild flaw put every AWS environment at risk A simple CodeBuild flaw put every AWS environment at risk DeadLock ransomware uses smart contracts to evade defenders Python libraries in AI/ML models can be poisoned w metadata OpenAI patches déjà vu prompt injection vuln in ChatGPT Fake Windows BSODs check in at Europe's hotels to con staff into running malware Hotel staff tricked into installing malware by bogus BSODs Your car’s web browser may be on the road to cyber ruin China's Ink Dragon hides out in European government networks Browser 'privacy' extensions have eye on your AI, log all your chats NCSC finds cyber deception tools work, if deployed right 10K Docker images spray live cloud creds across the internet 'Botnets in physical form' are top humanoid robot risk 'Botnets in physical form' are top humanoid robot risk Apache warns of 10.0-rated flaw in Tika metadata toolkit Novel clickjacking attack relies on CSS and SVG 'Exploitation is imminent' of max-severity React bug Swiss government bans SaaS and cloud for sensitive info Scattered Lapsus$ Hunters stress testing Zendesk weak spots HashJack attack shows AI browsers can be fooled with '#' New ClickFix attacks use fake Windows Updates to swipe creds Years-old bugs in open source took out major clouds at risk LLM-generated malware improving, but not operational (yet) 3.5B WhatsApp users' info scooped through enumeration flaw 50k more ASUS routers pwned by evolving Beijing-linked op Overconfidence is the new zero-day as teams stumble through cyber simulations LLM side-channel attack could allow snoops to guess topic Landfall spyware used in 0-day attacks on Samsung phones MIT Sloan shelves paper about AI-driven ransomware Security hole slams Chromium browsers - no fix yet OpenAI Atlas Browser tripped up by malformed URLs Devs of VS Code extensions are leaking secrets en masse Chatbots that butter you up make you worse at conflict Tile trackers leak unencrypted Bluetooth data, say boffins Beijing's RedNovember hacked critical US, global orgs Lazarus RAT code resurfaces in North Korean IT-worker scams Suspected Chinese spies broke into 'numerous' enterprises Deepfaked calls hit 44% of businesses in last year: Gartner Kaspersky: RevengeHotels returns with AI-coded malware Ruh-roh. DDR5 memory vulnerable to new Rowhammer attack HybridPetya ransomware dodges UEFI Secure Boot
3.5B WhatsApp users' info scooped through enumeration flaw
2025-11-19 · via The Register - Security: Research

Researchers in Austria used a flaw in WhatsApp to gather the personal data of more than 3.5 billion users in what they believe amounts to the "largest data leak in history."

The messaging platform allows users to look up others' details by inputting their phone numbers. The feature, which has been part of the platform for years, can be abused to enumerate user data, including phone number, name, and in some cases their profile image if they have one set.

Using this feature, the researchers were able to gather user details at a rate of over 100 million accounts per hour by plugging in 63 billion phone numbers generated using a tool they built using the underlying tech of Google's libphonenumber.

REG AD

In typical settings, platforms would rely on rate limiting to prevent this kind of abuse, but WhatsApp still allowed enumeration on this scale without the researchers "encountering blocking or effective rate limiting."

REG AD

The researchers wrote [PDF]: "To our surprise, neither our IP address nor our accounts have been blocked by WhatsApp. Moreover, we did not experience any prohibitive rate-limiting. With our query rate of 7,000 phone numbers per second (and session), we could confirm 3.5 billion phone numbers registered on WhatsApp (exceeding the "more than 2 billion people" officially stated by WhatsApp)."

More than 57 percent of the active accounts they enumerated had a profile picture, two-thirds of which contained detectable human faces, which the researchers said could be used to build a reverse phonebook where a person's image reveals other details about them.

Around 29 percent had text in their profile that could also build a fuller picture of each user.

Reporters, researchers, and other interested parties can often look at the coverage of data breaches, see that only basic personal information is included, and conclude that the severity of these incidents, realistically, is fairly low, given that this is often in the public domain already.

However, the text included in profiles could, in some cases, reveal additional sensitive information about the user, such as their sexual orientation, political views, drug use and trafficking, links to other platforms such as LinkedIn and Tinder, and professional email addresses.

Regarding the latter, the researchers were able to link enumerated phone numbers to government and military officials too.

Furthermore, several countries ban WhatsApp. China, Myanmar, and North Korea are notable examples, while other countries like Iran and Senegal have previously instituted bans and later rescinded them.

However, millions of active WhatsApp accounts were associated with phone numbers registered in these countries, a revelation consistent with WhatsApp boss Will Cathcart's previous admission.

REG AD

Countries such as China are known for persecuting people for breaking rules, such as circumventing bans on WhatsApp and other platforms. The consequences can reportedly include detention and being sent to re-education camps.

Less critical, but still pertinent, is the potential for abuse by cybercriminals and troublemakers.

The researchers said: "Large-scale databases of registered phone numbers can be misused by attackers. Since a registered number typically indicates an active device, these lists are a reliable basis for spam, phishing, or robocall attacks."

They also said it raises the question of how long this information remains valid and therefore open to abuse.

Taking the data from the great Facebook data scrape of 2021 – which saw the phone numbers, locations, email addresses, birthdays, and marital statuses of 533 million people's profiles collected – the research team found that half of the phone numbers were still active among the 3.5 billion records they collected from WhatsApp.

The Register asked Meta for more information, including whether it has implemented any additional protections after the researchers disclosed the potential for abuse via its bug bounty program.

The tech giant did not address the efficacy or existence of additional security measures following the researchers' submission in its response, but said it was already working on anti-scraping systems.

Nitin Gupta, VP of engineering at WhatsApp, said: "We are grateful to the University of Vienna researchers for their responsible partnership and diligence under our Bug Bounty program. This collaboration successfully identified a novel enumeration technique that surpassed our intended limits, allowing the researchers to scrape basic publicly available information.

REG AD

"We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defenses. Importantly, the researchers have securely deleted the data collected as part of the study, and we have found no evidence of malicious actors abusing this vector.

"As a reminder, user messages remained private and secure thanks to WhatsApp's default end-to-end encryption, and no non-public data was accessible to the researchers."

We also spoke to Gabriel Gegenhuber, a PhD candidate at the University of Vienna and researcher at SBA Research who co-authored the paper, and he confirmed that Meta's response was effective at preventing its methods.

He told us: "We supported Meta/WhatsApp with our knowledge in their remediation and retesting process.

"As part of that process, we have tried the exact same steps as for the original study, but were blocked swiftly. So we can confirm there are countermeasures in place now.

"This was, of course, not a detailed security audit of the entire WhatsApp infrastructure.

"As usual in security, the existence of security/privacy issues is easier to prove than their non-existence."

He also pointed to the disclosure timeline, as set out in the paper, and how it took Meta nearly a year to provide a meaningful response to the numerous tickets they raised throughout the research process.

Meta only requested a conference call to discuss the findings and asked the team members to delay publication after they supplied the company with a pre-print of their paper and notified them of their intention to publish.

"However, as soon as they realized the extent of the issue, they took it seriously and reacted promptly," said Gegenhuber. ®