Researchers at the University of Vienna have uncovered a significant security flaw in WhatsApp, revealing that the messaging service’s contact discovery feature can be exploited to extract phone numbers for 3.5 billion users. Through systematic checks of every possible number, the team was able to collect information on 57% of these accounts, including profile photos, and 29% of users had profile text available. The researchers conducted these checks at a pace of approximately 100 million numbers per hour using the browser-based WhatsApp app, a method that raised substantial privacy concerns.
Meta, the parent company of WhatsApp, was alerted to the vulnerability in April, and the researchers subsequently deleted their data. By October, the company had implemented stricter rate-limiting measures to prevent such mass enumeration. However, Meta described the information as “basic publicly available information,” stating that there was no evidence of malicious exploitation. The vulnerability had been identified previously, with a Dutch researcher, Loran Kloeze, publishing a blog post in 2017 detailing the same enumeration technique. Meta had responded at that time by assertingWhatsApp’s privacy settings were functioning as intended and denied him a bug bounty reward.
The researchers collected a vast array of U.S. phone numbers, totaling 137 million, with nearly 750 million numbers from India. Additionally, they discovered 2.3 million Chinese and 1.6 million Myanmar numbers, despite WhatsApp being banned in both countries. The analysis of cryptographic keys revealed that some accounts used duplicate keys, which the researchers speculate may have resulted from unauthorized WhatsApp clients rather than a flaw in the platform itself. These findings underscore the need for improved security measures and increased accountability in handling user data.
While Meta has taken steps to address the issue, the exposure of such a large dataset remains a significant concern. The incident highlights the ongoing challenges in ensuring data privacy and the potential risks associated with the widespread use of messaging platforms in today’s connected world. The research not only brings attention to the vulnerabilities within WhatsApp but also serves as a critical reminder of the importance of robust security practices in protecting user information and maintaining trust in digital communication.