Critical vulnerabilities found

Web App Privilege Escalation: User to Admin

Rijul found a vulnerability through bugs.olivermaicher.eu that let him escalate from a regular user to admin in our client’s web app, giving access to private data. The code shouldn’t have allowed this, but the deployed environment made it possible.

The issue was responsibly reported, patched, and Rijul received a bounty.

Researchers from Vienna: WhatsApp Data Leak

A team from the University of Vienna & SBA Research discovered a major flaw in WhatsApp’s Contact Discovery feature. They could check up to 100 million phone numbers per hour to identify active WhatsApp accounts, around 3.5 billion profiles in total.

It is statistically interesting:

• Active WhatsApp usage in countries where the app is officially banned, including China, Iran, and Myanmar.

• A global ratio of 81% Android to 19% iOS, with strong regional variations.

• Different privacy preferences: some regions rarely use profile photos, while others show a lot.

• Occasional re-use of cryptographic keys was detected, an indication of unofficial clients or fraudulent use.

• Nearly 50% of the phone numbers from the 2021 Facebook data leak were still active on WhatsApp. This increases the risk of spam or scam calls.

Exposed data included phone numbers, public keys, timestamps, profile pictures (if public), and “About” texts, which could reveal account age, device type, and OS. Messages remained end-to-end encrypted.

The researchers reported the issue to Meta/WhatsApp, deleted collected data, and Meta has reportedly implemented countermeasures.