Hey there! You are using WhatsApp Enumerating Three Billion ...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://github.com/sbaresearch/whatsapp-census
• Blog Title: Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy
• Suggested Section: Pentesting Web -> Registration & Takeover Vulnerabilities (new subsection on abusing contact-discovery / identifier-enumeration oracles, dialing-plan modeling, and public-key reuse correlation)

🎯 Content Summary

This repository contains the extended NDSS 2026 paper “Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy” and supporting data files, not exploit code. The work analyzes a systemic privacy weakness in WhatsApp’s contact discovery mechanism: the platform effectively exposes a remote enumeration oracle for arbitrary mobile numbers, and historically applied rate limiting/abuse controls were weak enough to allow large-scale, automated probing o...

🔧 Technical Details

Abusing phone-number contact discovery as an enumeration oracle.
Any messaging service that lets clients ask “is this phone number registered?” via an API can be abused as a presence oracle. An attacker systematically generates candidate phone numbers and feeds them into the normal contact discovery flow (e.g., by simulating address-book uploads or batched lookups). For each number, the response reveals registered vs. unregistered status. If server-side defenses are weak, this technique scales to hundreds of millions of numbers per hour, allowing attackers to build comprehensive maps from phone numbers to accounts without ever sending messages.

Optimizing enumeration using dialing-plan modeling.
Rather than brute-forcing arbitrary numeric ranges, an attacker first builds a realistic phone-number model per country using public dialing information (country codes, valid lengths, and operator allocations, as in country-table.csv/count...

🤖 Agent Actions

Summary:

• Extended the Registration & Takeover Vulnerabilities page with a full subsection on abusing phone-number contact-discovery flows as presence/oracle attacks, describing how to instrument legit clients, batch queries, scale enumeration to >100M lookups/hour, and operationalize the results (targeting leaked datasets, profiling geography/OS).
• Documented practical dialing-plan modeling using the paper’s country-table.* dataset (with sample generation code), explained how to correlate X25519 public-key reuse across accounts, and outlined layered defensive controls (multi-dimensional throttling, anomaly detection, PSI-based discovery, noisy responses).
• Updated the References section to cite the NDSS 2026 “Hey there! You are using WhatsApp” research repository as the source of the new techniques and data.

Tests: Not run (documentation-only change).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://github.com/sbaresearch/whatsapp-census

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> Registration & Takeover Vulnerabilities (new subsection on abusing contact-discovery / identifier-enumeration oracles, dialing-plan modeling, and public-key reuse correlation)".

Repository Maintenance:

• MD Files Formatting: 909 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0