Researchers at the University of Vienna uncovered a significant security flaw in WhatsApp, enabling them to extract phone numbers for 3.5 billion users by exploiting the contact discovery feature. The study revealed that the team systematically checked every possible number, yielding profile photos for 57% of the accounts and profile text for 2,9 percent. They processed roughly 100 million numbers per hour using WhatsApp’s browser-based app.
The researchers notified Meta in April and deleted their data, prompting the company to implement stricter rate-limiting by October to prevent such mass enumeration. Meta stated that the exposed information was considered ‘basic publicly available information’ and claimed no evidence of malicious exploitation was found. However, the vulnerability had been identified before, with Dutch researcher Loran Kloeze detailing the same enumeration technique in 2017. Meta responded then by stating that WhatsApp’s privacy settings were functioning as designed and denied him a bug bounty reward.
The researchers collected 137 million U.S. phone numbers, with nearly 750 million in India, 2.3 million in China, and 1.6 million in Myanmar, despite WhatsApp being banned there. They also found some accounts used duplicate cryptographic keys, which they attribute to unauthorized WhatsApp clients rather than a platform flaw.