WhatsApp is set to introduce usernames as a primary identifier, moving away from phone numbers, a strategic shift aimed at bolstering user privacy and combating widespread data scraping. This change comes in response to a significant security flaw that allowed researchers to extract billions of user phone numbers and associated profile data.
WhatsApp's Shift to Usernames: A Response to Data Scraping
Earlier reports hinted at WhatsApp's plans to enable usernames, but the underlying security imperative has now been brought to light. Austrian security researchers uncovered a vulnerability that permitted the automated enumeration of virtually all possible phone number combinations, subsequently revealing contact information, including names and profile images, for a vast number of WhatsApp users.
The researchers claim this flaw, which Meta (WhatsApp's parent company) allegedly failed to address for years, represents a substantial security risk. As detailed by Wired, the team successfully utilized this method to extract an astonishing 3.5 billion user phone numbers from the platform.
“For about 57% of those users, they also found that they could access their profile photos, and for another 29%, the text on their profiles. Despite a previous warning about WhatsApp's exposure of this data from a different researcher in 2017, they say, the service's parent company, Meta, still failed to limit the speed or number of contact discovery requests the researchers could make by interacting with WhatsApp's browser-based app, allowing them to check roughly a hundred million numbers an hour.”
This vulnerability could theoretically enable malicious actors to compile extensive databases of names and phone numbers, ripe for various illicit purposes, including targeted scam activities.
Meta's Mitigation Efforts and Future Direction
Upon sharing their findings with Meta, the company promptly implemented new rate limits to prevent the mass scraping vector identified by the researchers. However, even with these limits in place, the inherent reliance on phone numbers as primary identifiers remained a security concern. This ongoing risk is likely the primary driver behind Meta's push towards usernames, offering an alternative that inherently limits data exposure.
It's important to clarify the scope of this data exposure. The information accessible through scraping is limited to basic profile data, and users retain the ability to make their profiles private, thereby shielding themselves from such vulnerabilities. Meta has also stated that it has found no evidence of malicious actors actively exploiting this element. Furthermore, user messages remain secure and protected by WhatsApp's default end-to-end encryption, ensuring conversational privacy is maintained.
While not a catastrophic data breach, the potential for creating databases for scam activity necessitated a proactive response. Consequently, WhatsApp is expected to intensify its rollout of usernames, not only to address these privacy concerns but also to continuously monitor and protect its users from any abuse of phone number matching. This move represents a sensible step by Meta to offer robust alternative options and mitigate potential harm from data exposure risks.
