Researchers at the University of Vienna have discovered a critical security flaw in WhatsApp that allowed the extraction of phone numbers for 3.5 billion users. The flaw, which leverages WhatsApp’s contact discovery feature, enables the systematic checking of every possible number, resulting in the collection of vast amounts of user data. The research team, using the WhatsApp browser-based app, reportedly checked approximately 100 million numbers per hour, leading to the acquisition of profile photos for 57% of the accounts and profile text for 29%. This extensive data collection included 137 million U.S. phone numbers, nearly 750 million numbers in India, 2.3 million in China, and 1.6 million in Myanmar, despite WhatsApp being banned in the latter two countries. The researchers also conducted an analysis of cryptographic keys and found that some accounts used duplicate keys, potentially due to unauthorized clients rather than a platform flaw.
In response to the study, Meta was informed in April, and the company has since implemented stricter rate-limiting measures by October to prevent such mass enumeration. While Meta classified the exposed information as ‘basic publicly available information,’ the company maintains that there is no evidence of malicious exploitation. The vulnerability has been recognized before, with Dutch researcher Loran Kloeze publishing a detailed blog post on the same enumeration technique in 2017. At the time, Meta responded by asserting that WhatsApp’s privacy settings were functioning as designed and denied him a bug bounty reward. The findings of the current study highlight the ongoing challenges in securing communication platforms and the potential risks associated with widespread data exposure.
The researchers’ work underscores the importance of continuous security assessments in digital communication services. As the use of messaging platforms continues to grow, ensuring robust privacy protections becomes increasingly vital. The study also raises questions about the effectiveness of current measures in preventing unauthorized data collection and the potential implications for user privacy and security. These findings may prompt further regulatory scrutiny or industry-wide changes to enhance data protection for users of such platforms.