A significant security flaw in WhatsApp has been discovered, allowing researchers from the University of Vienna to extract phone numbers for 3.5 billion users. The vulnerability exploits the contact discovery feature, enabling systematic enumeration of all possible numbers. By checking roughly 100 million numbers per hour using the messaging service’s browser-based app, the researchers gathered data that included profile photos for 57% of the accounts and profile text for 29%.
The study highlights the potential risks associated with the exposure of such a vast amount of personal data. The researchers warned Meta in April and deleted their data, prompting the company to implement stricter rate-limiting by October to prevent such mass enumeration. Meta described the exposed information as ‘basic publicly available information’ and stated it found no evidence of malicious exploitation. The vulnerability had been identified before, with a Dutch researcher, Loran Kloeze, detailing the same enumeration technique in 2017. Meta responded then by stating that WhatsApp’s privacy settings were functioning as designed and denied him a bug bounty reward.
Additionally, the researchers collected 137 million U.S. phone numbers and nearly 750 million numbers in India. They also found 2.3 million Chinese numbers and 1.6 million Myanmar numbers, despite WhatsApp being banned in both countries. The analysis of cryptographic keys revealed some accounts used duplicate keys, which the team speculates resulted from unauthorized WhatsApp clients rather than a platform flaw. The findings underscore the need for improved security measures to protect user data and prevent potential misuse of such vulnerabilities.