Researchers from the University of Vienna have discovered a critical security flaw in WhatsApp that has exposed the phone numbers of 3.5 billion users. The flaw allows attackers to systematically check every possible phone number through WhatsApp’s contact discovery feature, effectively creating a way to enumerate user accounts at scale. The team found profile photos for 57% of the accounts and profile text for 29% of the users, highlighting the potential for large-scale data collection. The researchers processed approximately 100 million numbers per hour by using the WhatsApp browser-based app, which underscores the severity of the vulnerability. The team notified Meta in April and subsequently deleted their data, prompting the company to implement stricter rate-limiting measures by October to prevent similar mass enumeration attempts.
The vulnerability was not new, as it was previously detailed by Dutch researcher Loran Kloeze in 2017, who published a blog post explaining the same enumeration technique. Meta at the time responded by stating that WhatsApp’s privacy settings were functioning as designed and denied him a bug bounty reward. The current findings have expanded the scale of the potential data exposure, revealing 137 million U.S. phone numbers, nearly 750 million in India, 2.3 million in China, and 1.6 million in Myanmar, despite WhatsApp being banned in both China and Myanmar. The researchers also analyzed cryptographic keys and found that some accounts used duplicate keys, which they speculate could be the result of unauthorized WhatsApp clients rather than a flaw in the platform itself.
Meta has stated that the information exposed by the flaw is ‘basic publicly available information’ and that there is no evidence of malicious exploitation. However, the researchers have raised concerns about the potential risks associated with such widespread data exposure. They emphasize the importance of improved security measures to protect user data. The findings highlight the ongoing challenges in securing communication platforms and the need for continuous vigilance to prevent similar vulnerabilities in the future.