Hacker News new | ask | show | jobs
by abigailphoebe 203 days ago
just read the pre-print paper.

they claim to have achieved a rate of 7,000/s, which is roughly 25M/h

i do agree that is an absurd amount, especially when paired with the lack of rate limiting as discussed in their paper.

> "[...] Moreover, we did not experience any prohibitive rate-limiting. With our query rate of 7,000 phone numbers per second (and session), we could confirm 3.5 B phone numbers registered on WhatsApp [...]"

prior to my initial comment, i was under the impression they had encountered ratelimiting and bypassed it, it appears this initial assumption was incorrect.

i agree that it is ridiculous, though i faulter on calling it a vulnerability as in my eyes that term is specifically for unintended side affects / exploitation.
1 comments
lxgr 203 days ago
> i was under the impression they had encountered ratelimiting and bypassed it

Wouldn't that be the exact same privacy problem in effect? What's the practical difference between ineffective and no rate limiting?

link
abigailphoebe 203 days ago
ehh, not really.

assuming a reasonable ratelimit, say 100 lookups per day (maybe some exceptions if the lookup results in an account that already has you in contacts, idk) - this would significantly reduce the amount of scraping that can be done.

contact lookup is a required function of whatsapp, the issue this paper highlights is that there is no protection against mass scraping

link