Researchers from the University of Vienna have exposed a significant security vulnerability in WhatsApp’s contact discovery feature. By systematically checking every possible phone number, they successfully extracted 3.5 billion user phone numbers. This method allowed them to collect profile photos for 57% of the accounts and profile text for 29% of users. The researchers processed around 100 million numbers per hour using WhatsApp’s browser-based app.
The team notified Meta in April and subsequently deleted their collected data. In response, the company implemented stricter rate-limiting measures by October to prevent similar mass enumeration attempts. Meta described the exposed information as ‘basic publicly available information’ and clarified that they found no evidence of malicious exploitation. The vulnerability was identified before, with a similar technique detailed by Dutch researcher Loran Kloeze in 2017. Meta responded at the time by stating that WhatsApp’s privacy settings functioned as intended and refused to offer a bug bounty reward for the report.
The researchers amassed 137 million U.S. phone numbers, nearly 750 million in India, 2.3 million in China, and 1.6 million in Myanmar, despite WhatsApp’s ban in the latter two countries. Their analysis of cryptographic keys revealed that some accounts used duplicate keys, possibly due to unauthorized clients rather than a platform flaw. The broader implications of this breach highlight the ongoing challenges in securing communication platforms and raise concerns about data privacy for WhatsApp users globally.