Researchers at the University of Vienna have discovered a critical security flaw in WhatsApp, exposing the phone numbers of 3.5 billion users. The flaw allows the systematic extraction of phone numbers through WhatsApp’s contact discovery feature, enabling the retrieval of profile photos for 57% of the accounts and profile text for 2,9% of the users. The research team processed approximately 100 million numbers per hour, leveraging the browser-based version of the app. By April, the researchers had already informed Meta about the vulnerability, leading to the deletion of their data. In response, Meta implemented stricter rate-limiting measures by October, although the company has acknowledged that the vulnerability had already been identified in 2017. The same enumeration technique was detailed in a blog post by Dutch researcher Loran Kloeze, who was denied a bug bounty reward by Meta, as the company claimed that the service’s privacy settings were functioning as intended. The researchers collected 137 million U.S. phone numbers, nearly 750 million numbers in India, and substantial numbers in China and Myanmar, despite the latter countries having banned WhatsApp. An analysis of the cryptographic keys revealed that some accounts used duplicate keys, possibly due to unauthorized WhatsApp clients rather than an inherent platform flaw.
While Meta has stated that the exposed information is “basic publicly available information” and claims no evidence of malicious exploitation has been found, the implications of this breach are significant. The exposure of such a vast number of phone numbers could lead to targeted attacks, phishing attempts, and privacy violations for users. The researchers emphasize the importance of addressing such vulnerabilities to protect user data. The incident has sparked discussions about the security measures of WhatsApp and the necessity for continued oversight and improvements in data protection protocols. Despite the company’s responses, concerns remain about the potential for misuse and the need for stronger safeguards to prevent similar breaches in the future.