Vulnerability discovered in WhatsApp Web: all users affected
Security researchers have found a new vulnerability in the WhatsApp Web API. It is thus possible for hackers to access third-party user data. And unlimited.
Security researcher Loran Kloeze has uncovered a critical loophole in WhatsApp's web interface. This enables hackers to query unlimited telephone numbers in the database. He also has the gap here in one Blog post recorded.
Creation of infinite user databases possible
Kloeze has developed an extra script for this experiment, which runs through several numbers. If there is a hit, the associated phone number, info and Profilbild of the user is displayed. In this case, the IT expert defines a filter of phone numbers, which the script searches through. This is done solely by using the WhatsApp developer API. This means you could record a user's online times for months without them noticing.
As a spokesman told Motherboard, the Proproblem already worked. Abuse will also be monitored behind the scenes and unusual queries will be blocked. If you don't want to be tapped, you can hide all data in WhatsApp's data protection settings. For each point, the setting must be set to "My contacts". The hacker could then theoretically only access data from his contacts.