Researchers from the University of Vienna have exposed a significant security flaw in WhatsApp, revealing the phone numbers of 3.5 billion users through a systematic process that leveraged the messaging service’s contact discovery feature. This vulnerability allowed the extraction of not only phone numbers but also profile photos and text for a substantial portion of these users, with 57% of accounts having profile photos and 29% having profile text available. The team conducted their analysis by checking approximately 100 million numbers per hour using WhatsApp’s browser-based application.
The researchers raised concerns with Meta in April, which led to the deletion of their data. In response, Meta introduced stricter rate-limiting measures by October to curb such mass enumeration attempts. Despite this, the vulnerability had been previously identified in 2017 by Dutch researcher Loran Kloeze, who detailed the same enumeration technique in a blog post. Meta’s response at the time indicated that the privacy settings on WhatsApp were functioning as intended and denied the researcher a bug bounty reward for the discovery.
The extent of the data collected by the researchers was extensive, with 137 million U.S. phone numbers, nearly 750 million in India, 2.3 million in China, and 1.6 million in Myanmar—despite WhatsApp being banned in both the latter countries. The researchers also examined the cryptographic keys associated with the accounts, discovering that some users had duplicate keys, which they speculate could be due to unauthorized WhatsApp clients rather than an inherent flaw in the platform.