Cybersecurity

8643 readers

181 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social

WhatsApp API flaw let researchers scrape 3.5 billion accounts (www.bleepingcomputer.com)

submitted 3 days ago by KarnaSubarna@lemmy.ml to c/cybersecurity@sh.itjust.works

0 comments fedilink hide all child comments

The researchers from the University of Vienna and SBA Research used WhatsApp's contact-discovery feature, which lets you submit a phone number to the platform's GetDeviceList API endpoint to determine whether a phone number is associated with an account and what devices were used.

Without strict rate limiting, APIs like this can be abused to perform large-scale enumeration across a platform.

The researchers found this to be the case with WhatsApp, as they were able to send a high volume of queries directly to WhatsApp's servers, checking more than 100 million numbers per hour.

They ran the entire operation from a single university server using just five authenticated sessions, initially expecting to get caught by WhatsApp. However, the platform never blocked the accounts, never throttled their traffic, never restricted their IP address, and never reached out despite all the abusive activity coming from one device.

The researchers then generated a global set of 63 billion potential mobile numbers and tested all of them against the API. Their queries returned 3.5 billion active WhatsApp accounts.

no comments (yet)

sorted by: hot top controversial new old

there doesn't seem to be anything here