Particle.news
Download on the App Store
3 ARTICLES
·
last wk.

DEFCON Demo Exposes WhatsApp PFS Key-Exhaustion Flaw, Meta Leaves It Unpatched

A DEFCON demonstration revealed how depleting one-time keys can strip initial message encryption, enabling metadata harvesting on unpatched WhatsApp accounts.

Image
Image
Image

Overview

  • Researchers from the University of Vienna showed that repeatedly requesting server-held one-time PFS keys exhausts them and causes initial messages to be sent without Perfect Forward Secrecy.
  • By monitoring the timing and success of key replenishment, attackers can infer users’ online status, daily routines and even device models for targeted surveillance.
  • Flooding WhatsApp with about 2,000 key requests per second triggers a denial-of-service that blocks new messages and calls for the targeted phone number.
  • The vulnerability was privately reported to Meta on March 28, but researchers say the bug was misclassified and no public patch or response has been confirmed.
  • Simple server-side rate limiting and tighter user privacy settings can mitigate the attack, yet Meta has not announced any deployment timeline for a fix.