The 3.5 Billion WhatsApp Scraping Flaw: Is Your Mobile API Leaking?

EXPLORE

Society & Culture

© 2024 PodJoint

https://is1-ssl.mzstatic.com/image/thumb/Podcasts211/v4/60/d9/f3/60d9f3b7-c2e2-5976-0efb-35fe6d08fff7/mza_5533681006261142495.jpg/600x600bb.jpg

Upwardly Mobile - API & App Security News

Approov Mobile Security

113 episodes

5 days ago

Think the App Store’s built-in security is enough? Think again.

Welcome to Upwardly Mobile, the podcast that exposes the gaps in iOS, Android, and HarmonyOS security. Hosts Skye and George take you into the high-stakes world of mobile defense, revealing why standard protections from Apple, Google, and Samsung often leave your sensitive data exposed. Sponsored by Approov—the gold standard in mobile app attestation—we move beyond the basics to tackle weaponized AI threats and dynamic API attacks. From runtime attestation to navigating complex compliance regulations, we equip developers and security pros with the actionable strategies needed to thwart attackers. Don’t leave your app vulnerable.

Subscribe now on Spotify and Apple Podcasts to elevate your security game.

Show more...

All content for Upwardly Mobile - API & App Security News is the property of Approov Mobile Security and is served directly from their servers with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.

Think the App Store’s built-in security is enough? Think again.

Welcome to Upwardly Mobile, the podcast that exposes the gaps in iOS, Android, and HarmonyOS security. Hosts Skye and George take you into the high-stakes world of mobile defense, revealing why standard protections from Apple, Google, and Samsung often leave your sensitive data exposed. Sponsored by Approov—the gold standard in mobile app attestation—we move beyond the basics to tackle weaponized AI threats and dynamic API attacks. From runtime attestation to navigating complex compliance regulations, we equip developers and security pros with the actionable strategies needed to thwart attackers. Don’t leave your app vulnerable.

Subscribe now on Spotify and Apple Podcasts to elevate your security game.

Show more...

https://d3wo5wojvuv7l.cloudfront.net/t_rss_itunes_square_1400/images.spreaker.com/original/83f73d888478f063c20ddef345271f26.jpg

The 3.5 Billion WhatsApp Scraping Flaw: Is Your Mobile API Leaking?

Upwardly Mobile - API & App Security News

11 minutes

3 weeks ago

The 3.5 Billion WhatsApp Scraping Flaw: Is Your Mobile API Leaking?

The 3.5 Billion WhatsApp Scraping Flaw: Is Your Mobile API Leaking?

Episode Summary: In this episode, we break down a massive vulnerability discovered by researchers at the University of Vienna and SBA Research that allowed them to scrape data from roughly 3.5 billion WhatsApp accounts globally. We explore how a lack of rate limiting on the specific GetDeviceList API endpoint turned a benign contact discovery feature into a massive "enumeration oracle," allowing a single university server to query over 100 million numbers per hour. We discuss the types of data exposed—including active status, device types, public encryption keys, and millions of profile photos—and the implications for user privacy, particularly in regions where WhatsApp is banned like China and Iran. Finally, we cover Meta’s response to the disclosure and why industry experts are calling this a "masterclass in negligence" regarding API security. Key Topics Discussed:

The Vulnerability: How researchers used the GetDeviceList API to bypass safeguards and identify valid accounts across 245 countries.
The Scale: How a single server sustained 7,000 requests per second to verify 3.5 billion accounts without being blocked.
The Data: The exposure of profile images, "about" text, and public keys, and how this data correlates with previous Facebook leaks.
The Security Lesson: Why "does this number exist?" lookup APIs are inherently dangerous without strict behavioral monitoring and rate limiting.

Sponsor: This episode is supported by Approov. When mobile app security is an afterthought, user privacy becomes collateral damage. Approov ensures that only genuine mobile app instances, running on safe mobile devices, can access your backend APIs.

Visit the Sponsor: https://approov.io

Featured Sources & Further Reading:

BleepingComputer: WhatsApp API flaw let researchers scrape 3.5 billion accounts – Detailing the mechanics of the GetDeviceList abuse and the global scope of the data scrape.
Malwarebytes: WhatsApp closes loophole that let researchers collect data on 3.5B accounts – Analysis of the privacy implications, including the exposure of users in restrictive regimes.
Privacy Guides: WhatsApp contact discovery vulnerability identifies 3.5 billion users – Discussing the patch and how alternative messengers handle contact discovery.

Keywords: WhatsApp, API Security, Rate Limiting, Data Scraping, Mobile Security, Cybersecurity, Meta, Privacy, Enum, GetDeviceList, Infosec, Approov.

🎙️ Upwardly Mobile is hosted by Skye Macintyre & George McGregor. 🛡️ Sponsored by Approov: The only comprehensive solution for mobile app and API security. 👉 Subscribe & Review: Upwardly Mobile | Podcast

This episode includes AI-generated content.