OFFRE D'UNE DURÉE LIMITÉE | Obtenez 3 mois à 0.99 $ par mois

14.95 $/mois par la suite. Des conditions s'appliquent.
Page de couverture de The 3.5 Billion WhatsApp Scraping Flaw: Is Your Mobile API Leaking?

The 3.5 Billion WhatsApp Scraping Flaw: Is Your Mobile API Leaking?

The 3.5 Billion WhatsApp Scraping Flaw: Is Your Mobile API Leaking?

Écouter gratuitement

Voir les détails du balado

À propos de cet audio

 The 3.5 Billion WhatsApp Scraping Flaw: Is Your Mobile API Leaking?

Episode Summary: In this episode, we break down a massive vulnerability discovered by researchers at the University of Vienna and SBA Research that allowed them to scrape data from roughly 3.5 billion WhatsApp accounts globally. We explore how a lack of rate limiting on the specific GetDeviceList API endpoint turned a benign contact discovery feature into a massive "enumeration oracle," allowing a single university server to query over 100 million numbers per hour. We discuss the types of data exposed—including active status, device types, public encryption keys, and millions of profile photos—and the implications for user privacy, particularly in regions where WhatsApp is banned like China and Iran. Finally, we cover Meta’s response to the disclosure and why industry experts are calling this a "masterclass in negligence" regarding API security. Key Topics Discussed:
  • The Vulnerability: How researchers used the GetDeviceList API to bypass safeguards and identify valid accounts across 245 countries.
  • The Scale: How a single server sustained 7,000 requests per second to verify 3.5 billion accounts without being blocked.
  • The Data: The exposure of profile images, "about" text, and public keys, and how this data correlates with previous Facebook leaks.
  • The Security Lesson: Why "does this number exist?" lookup APIs are inherently dangerous without strict behavioral monitoring and rate limiting.
Sponsor: This episode is supported by Approov. When mobile app security is an afterthought, user privacy becomes collateral damage. Approov ensures that only genuine mobile app instances, running on safe mobile devices, can access your backend APIs.
  • Visit the Sponsor: https://approov.io
Featured Sources & Further Reading:
  • BleepingComputer: WhatsApp API flaw let researchers scrape 3.5 billion accounts – Detailing the mechanics of the GetDeviceList abuse and the global scope of the data scrape.
  • Malwarebytes: WhatsApp closes loophole that let researchers collect data on 3.5B accounts – Analysis of the privacy implications, including the exposure of users in restrictive regimes.
  • Privacy Guides: WhatsApp contact discovery vulnerability identifies 3.5 billion users – Discussing the patch and how alternative messengers handle contact discovery.
Keywords: WhatsApp, API Security, Rate Limiting, Data Scraping, Mobile Security, Cybersecurity, Meta, Privacy, Enum, GetDeviceList, Infosec, Approov.

🎙️ Upwardly Mobile is hosted by Skye Macintyre & George McGregor. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | Podcast

This episode includes AI-generated content.
Pas encore de commentaire