Researchers at the University of Vienna have exposed a significant security flaw in WhatsApp that enabled them to extract phone numbers for 3.5 billion users by exploiting the service’s contact discovery feature. The technique, which systematically checked every possible number, yielded profile photos for 57% of accounts and profile text for 29% of the total. The researchers reported the issue to Meta in April, and the data was subsequently deleted following the company’s implementation of stricter rate-limiting by October. Meta has described the exposed information as ‘basic publicly available information,’ and stated that they found no evidence of malicious exploitation of the vulnerability. Despite warnings, the flaw had been known since 2017, when Dutch researcher Loran Kloeze detailed the same enumeration technique, which Meta responded to by claiming that WhatsApp’s privacy settings were functioning as designed and denying him a bug bounty reward. The researchers collected a vast amount of data, including 137 million U.S. phone numbers, nearly 750 million in India, and significant numbers in China and Myanmar, despite WhatsApp being banned in both countries. They analyzed the cryptographic keys and speculated that some accounts used duplicate keys, which they believe resulted from unauthorized WhatsApp clients rather than a platform flaw.
A potential security concern arises from the exposure of this vast dataset, even though Meta insists there is no evidence of its misuse. The researchers stress that the vulnerability highlighted by their findings is not new and was known even before the recent exposure. However, the sheer scale of the exposed information underscores the gravity of the situation, prompting questions about the platform’s privacy measures and its ability to safeguard user data in the face of such large-scale exposure. The report also raises broader concerns about the security of messaging platforms and their capacity to protect user information from potential misuse by entities with malicious intent.