We are here because a overwhelming majority of people accept to subject themselves to freedom-oppressing software. If a significant number of people rejected it, that would lower the burden for the rest to also reject it.
Stallman was right.
Stallman was right, but some times I think this is bigger than just software. This is about power, and software is just one of many tools. Stallman was right, but I wonder if his ideas would have resonated more widely if they had been framed in terms of power.
While I agree a lot of open source messenger services have terrible UX, I don't think "the masses" care about it that much. What matters is what everyone else is using. People are using Snapchat or Instagram Messenger and I haven't seen a single person who likes the UX of those services - they just use it and put up with hatred for it because that's what all their friends use.
Funny timing, we just published an RFC on a contact-matching scheme that's intended to be resilient to this kind of enumeration attack at the cost of reduced discovery. We're soliciting feedback so now's a good time to share the link - https://docs.bsky.app/blog/contact-import-rfc
Specifically, the endpoint allowed asking if a given phone number had a whatsapp account. Scaled up to ~all phone numbers. That doesn't seem like a major vulnerability.
The most interesting vulnerability is the reuse of cryptographic keys, some of it apparently by design, like when transferring one's account to a new number - this can apparently be used to correlate identities despite the change of phone number.
Also, from examining the published data set I found it interesting that there are only five WhatsApp users registered in North Korea. I wonder who they are.
WhatsApp has avoided the pressure of E2EE backdoors and whatever politics because they were never needed.
1. They collect all the metadata in unencrypted format and link it to phone numbers, making a huge social graph.
2. Backups are not encrypted by default and enabling of them is pushed. So the messages were never actually encrypted for most people and police can get messages without the actual phone.
3. iCloud E2EE backup fight in UK was mostly because of 2. as people started to opt-in for encryption.
That’s not gonna happen because the whole idea is to link your real identity to the digital one, which is why you should never trust any company that refuses to give you an alternative option to the phone number.
I get this is snarky and it being HN I'll now collect my downvotes, but really, I can't not hear Whatsapp without also thinking Facebook; the entire product may as well be a security vuln
If you can identify a person in a country where WA shouldn't be available by sniffing out their profile, it may even end up being a deadly security vulnerability, but I don't blame someone on a tech bro forum for making a edgy comment, it's all in the game.
> If you can identify a person in a country where WA shouldn't be available by sniffing out their profile, it may even end up being a deadly security vulnerability,
What are you talking about? Like what is even the mechanism for your concern?
This is an open endpoint / not a part of the design that is intended to be confidential. If you suspected any particular individual you could always check if their phone number had a WA account.
To create a whatsapp acccount, you need to authenticate with sms first. If the country is that strict around whatsapp, this alone would bring you trouble.
In a kinetic warfare or authoritarian context, this is rather a life safety vulnerability. In the industry, we call this the crossover from Information Security (InfoSec) to Operational Security (OpSec), where a digital flaw becomes a Kinetic Threat.
We are here because a overwhelming majority of people accept to subject themselves to freedom-oppressing software. If a significant number of people rejected it, that would lower the burden for the rest to also reject it.
Stallman was right.
Stallman was right, but some times I think this is bigger than just software. This is about power, and software is just one of many tools. Stallman was right, but I wonder if his ideas would have resonated more widely if they had been framed in terms of power.
State an open source alternative so I can explain to you why the masses think it's crap.
While I agree a lot of open source messenger services have terrible UX, I don't think "the masses" care about it that much. What matters is what everyone else is using. People are using Snapchat or Instagram Messenger and I haven't seen a single person who likes the UX of those services - they just use it and put up with hatred for it because that's what all their friends use.
Open source has nothing to do with this conversation.
Funny timing, we just published an RFC on a contact-matching scheme that's intended to be resilient to this kind of enumeration attack at the cost of reduced discovery. We're soliciting feedback so now's a good time to share the link - https://docs.bsky.app/blog/contact-import-rfc
This sounds grea-- oh... I'm not going on BlueSky haha. It's a mental institution at this point.
It's a retirement home for elder millennials who just happen to be insane. Not the same thing.
is this really needed? I already have an effective mechanism for not discovering anybody on bluesky.
solid burn
Specifically, the endpoint allowed asking if a given phone number had a whatsapp account. Scaled up to ~all phone numbers. That doesn't seem like a major vulnerability.
I once participated in some work like this, https://en.wikipedia.org/wiki/List_of_mobile_telephone_prefi... was super helpful. I couldn't find a link to libphonegen that they were referencing.
A bit disappointing, I thought everybody knew it was possible to "enumerate" Whatsapp accounts? I was hoping for something more juicy like RCE...
The lack of rate limiting was surprising.
The most interesting vulnerability is the reuse of cryptographic keys, some of it apparently by design, like when transferring one's account to a new number - this can apparently be used to correlate identities despite the change of phone number.
Also, from examining the published data set I found it interesting that there are only five WhatsApp users registered in North Korea. I wonder who they are.
I'm almost 100% sure that one of them is the only North Korean Steam user.
I hope nobody tells Kim there are another four users. I'm not sure their prison system can handle anymore, pretty well booked up last I heard.
Is phone number enumeration now considered a vulnerability? Really?
I know, remember when the telco's just published those in books every year?
funny thing is, there's probably a decent percentage of people here that don't remember this
Sarah Connor?
"security vulnerability" ....
The only fix to this is to replace phone numbers by secret 256 bit keys that are never reused...
Never gonna happen.
WhatsApp has avoided the pressure of E2EE backdoors and whatever politics because they were never needed.
1. They collect all the metadata in unencrypted format and link it to phone numbers, making a huge social graph.
2. Backups are not encrypted by default and enabling of them is pushed. So the messages were never actually encrypted for most people and police can get messages without the actual phone.
3. iCloud E2EE backup fight in UK was mostly because of 2. as people started to opt-in for encryption.
>3. iCloud E2EE backup fight in UK was mostly because of 2. as people started to opt-in for encryption.
That doesn't make any sense. Why did uk want to start a fight over icloud E2EE backups (opt-in) but not whatsapp E2EE backups (opt-in)?
Phone numbers were never supposed to be secret.
Nor were social security numbers.
We used to put phone numbers and addresses in printed books and give them to everyone.
Phone numbers are treated as permanent even though they’re ephemeral. So here we are.
That’s not gonna happen because the whole idea is to link your real identity to the digital one, which is why you should never trust any company that refuses to give you an alternative option to the phone number.
But it's to combat spam, we swear! Because of course there is no spam in whatsapp!
The security vuln is that it's owned by a bad faith actor
https://news.ycombinator.com/item?id=1692122
https://news.ycombinator.com/item?id=25662215
I get this is snarky and it being HN I'll now collect my downvotes, but really, I can't not hear Whatsapp without also thinking Facebook; the entire product may as well be a security vuln
Security vulnerability is a bit strong, but I don't blame news salesmen for making clickbait, it's all in the game
If you can identify a person in a country where WA shouldn't be available by sniffing out their profile, it may even end up being a deadly security vulnerability, but I don't blame someone on a tech bro forum for making a edgy comment, it's all in the game.
> If you can identify a person in a country where WA shouldn't be available by sniffing out their profile, it may even end up being a deadly security vulnerability,
What are you talking about? Like what is even the mechanism for your concern?
This is an open endpoint / not a part of the design that is intended to be confidential. If you suspected any particular individual you could always check if their phone number had a WA account.
To create a whatsapp acccount, you need to authenticate with sms first. If the country is that strict around whatsapp, this alone would bring you trouble.
In a kinetic warfare or authoritarian context, this is rather a life safety vulnerability. In the industry, we call this the crossover from Information Security (InfoSec) to Operational Security (OpSec), where a digital flaw becomes a Kinetic Threat.
[flagged]