Security15:20 · 2h ago

WhatsApp Username Reservation Raises Security Risks for Israeli Companies

Behadrei HaredimReligious
Translated & summarized from Behadrei Haredim by baba
The story · English

WhatsApp has officially introduced the option to reserve usernames ahead of the full feature launch, aiming to simplify communication and enhance privacy by allowing users to chat without revealing phone numbers. However, this new feature exposes well-known Israeli companies to impersonation and phishing risks. An investigation into username availability revealed that while WhatsApp blocks usernames based on international domains ending with ".com," it does not prevent registration of usernames containing the Israeli domain suffix ".co.il." This gap allows malicious actors to claim usernames linked to prominent Israeli brands using local domains.

The main concern stems from WhatsApp's role as a trusted communication channel in Israel, where users commonly receive official messages from banks, health services, local authorities, and support centers. This high level of trust makes the platform an attractive target for attackers. Sophisticated impersonation techniques, such as "homoglyphs" (using visually similar characters) and intentional misspellings, can make phishing messages appear legitimate, potentially leading to widespread fraud.

Currently, Meta's protection mechanisms do not fully safeguard Israeli companies, effectively placing the responsibility on the brands themselves. Companies that do not proactively map and reserve their brand usernames risk losing control over their identity on the platform. Meta responded by stating that the username reservation feature will roll out gradually later this year and that they have preemptively reserved prominent usernames, including those of public figures, government bodies, celebrities, and verified Meta accounts, along with similar variations. Meta emphasized that WhatsApp will still require phone numbers and has implemented multiple anti-fraud layers, such as limiting new contacts per account, blocking repeated username guessing attempts, and detecting impersonation patterns to remove abusive activity.

Read the original at Behadrei Haredim
Open the live terminal