A complete lack of rate limiting at a privacy-sensitive endpoint is arguably a fault.

I agree with this, but not the rest. It is not a security vulnerability, and I am not sure it being a privacy-sensitive endpoint either. Like someone pointed out, if you check one of your contacts and they have WhatsApp, you can tell, and you can message them from there. This is a feature.

I agree that there should be rate limiting of some sort.

Scale matters a lot for privacy.

For example, while everybody can physically go to your house and look at it from the street, somebody setting a webcam up and pointing it at the same house from the same vantage point would be a very different story and is illegal in many jurisdictions as a result.

If Whatsapp is banned in the country and you could get sent to jail for using it, I'd want the fact that I'm using Whatsapp to be kept private.

Sure, they probably should implement it to be able to make it private, but then again, I do not trust Meta and I do not think you should trust it either, so if you get sent to jail for using it, you should probably be wary of it either way.

There are many alternatives to WhatsApp, you may want to try them. Briar, Ricochet Refresh, Session, Matrix (Element), Jabber (with OMEMO and whatnot), among many others.

Why isn't it a privacy and security problem if it is just done for a single phone number?

What is this was not WhatsApp, but it was a website or service dedicated to something unethical or illegal or just extremely embarrassing? Something that could ruin a marriage or career if it was known someone was a registered user? Would it be OK if someone could punch in phone numbers to find out who is registered on these sites?

What if someone automated and correlated this information to produce a profile for a phone number of all the shady/embarrassing services that phone number is associated with?

100M per hour... it's quite ridiculous no ?

just read the pre-print paper.

they claim to have achieved a rate of 7,000/s, which is roughly 25M/h

i do agree that is an absurd amount, especially when paired with the lack of rate limiting as discussed in their paper.

> "[...] Moreover, we did not experience any prohibitive rate-limiting. With our query rate of 7,000 phone numbers per second (and session), we could confirm 3.5 B phone numbers registered on WhatsApp [...]"

prior to my initial comment, i was under the impression they had encountered ratelimiting and bypassed it, it appears this initial assumption was incorrect.

i agree that it is ridiculous, though i faulter on calling it a vulnerability as in my eyes that term is specifically for unintended side affects / exploitation.

> i was under the impression they had encountered ratelimiting and bypassed it

Wouldn't that be the exact same privacy problem in effect? What's the practical difference between ineffective and no rate limiting?

ehh, not really.

assuming a reasonable ratelimit, say 100 lookups per day (maybe some exceptions if the lookup results in an account that already has you in contacts, idk) - this would significantly reduce the amount of scraping that can be done.

contact lookup is a required function of whatsapp, the issue this paper highlights is that there is no protection against mass scraping