Vulnerability discovered in WhatsApp Web: all users affected

Security researchers have found a new vulnerability in the WhatsApp Web API. It is thus possible for hackers to access third-party user data. And unlimited.

Security researcher Loran Kloeze has uncovered a critical loophole in WhatsApp's web interface. This enables hackers to query unlimited telephone numbers in the database. He also has the gap here in one Blog post recorded.

Creation of infinite user databases possible

Kloeze has developed an extra script for this experiment, which runs through several numbers. If there is a hit, the associated phone number, info and Profilbild of the user is displayed. In this case, the IT expert defines a filter of phone numbers, which the script searches through. This is done solely by using the WhatsApp developer API. This means you could record a user's online times for months without them noticing.

This is the script, the vulnerability in WhatsApp Web. This can be used to read out third-party user data. (Image: Loran Kloetze/ Blog)

As a spokesman told Motherboard, the Proproblem already worked. Abuse will also be monitored behind the scenes and unusual queries will be blocked. If you don't want to be tapped, you can hide all data in WhatsApp's data protection settings. For each point, the setting must be set to "My contacts". The hacker could then theoretically only access data from his contacts.

Recommendations for you

• WhatsApp: vulnerability threatens groups and messages
• WhatsApp: Multi-device functions now available for iOS and Android
• WhatsApp: Multi-device functions can be tested
• WhatsApp: Despite the upcoming multi-device functions, only one smartphone could be supported