Researchers from the University of Vienna have uncovered a significant security flaw in WhatsApp, which allowed them to extract phone numbers for 3.5 billion users. By exploiting the messaging service’s contact discovery feature, the team systematically checked every possible number, resulting in the collection of profile photos for 57% of the accounts and profile text for 29%. The process involved checking roughly 100 million numbers per hour using the browser-based app.
The research team informed Meta in April and deleted their data, prompting the company to implement stricter rate-limiting measures by October. Meta responded by stating that the exposed information was considered basic publicly available data and that there was no evidence of malicious exploitation. The vulnerability, however, had been identified before, with Dutch researcher Loran Kloeze publishing a detailed blog post in 2017. Meta at the time denied the bug bounty reward, claiming that WhatsApp’s privacy settings were functioning as designed.
The researchers collected a substantial number of U.S. phone numbers, with 137 million identified, along with nearly 750 million in India, 2.3 million in China, and 1.6 million in Myanmar, despite the app being banned in the latter two countries. The team also analyzed the cryptographic keys and found that some accounts used duplicate keys, which they speculate may have been due to unauthorized clients rather than a flaw in the platform’s design.