Researchers at the University of Vienna recently discovered a critical security flaw in WhatsApp’s contact discovery feature, which allows for the systematic extraction of phone numbers for an estimated 3.5 billion users. Through a process that involved checking every possible number, the team was able to collect profile information, including photos and text, for a significant percentage of the affected accounts. The study, which took roughly 100 million numbers per hour using WhatsApp’s browser-based app, highlights the potential risks of leaving such vulnerabilities unaddressed.
The researchers, who notified Meta of the issue in April, were able to gather a substantial amount of data, including over 137 million U.S. phone numbers, nearly 750 million numbers from India, and 2.3 million Chinese numbers. Despite WhatsApp being banned in China and Myanmar, the team also found 1.6 million numbers in Myanmar. They analyzed the cryptographic keys and found that some users were using duplicate keys, which they speculate was due to unauthorized WhatsApp clients rather than a flaw in the platform itself.
Meta responded to the findings by implementing stricter rate-limiting measures by October, in an effort to prevent further mass enumeration of user data. The company claimed that the information exposed was “basic publicly available information” and stated that there was no evidence of malicious exploitation. However, the researchers have raised concerns about the potential for such data to be used for targeted attacks or other malicious purposes. While Meta has addressed the issue, the discovery underscores the importance of ongoing security audits and user privacy protections in messaging platforms.