WhatsApp’s greatest strength, despite being used by over three billion people, has always been its simplicity: find a phone number and start chatting. However, a group of researchers exploited WhatsApp’s systematic weakness to reveal approximately 3.5 billion phone numbers and associated account data. But here’s the thing: this very ease unintentionally led to one of the most serious breaches of privacy in modern history. Austrian researchers have recently demonstrated that WhatsApp allows anyone to extract all 3.5 billion users’ phone numbers and, in some cases, view profile photographs and account content even for all 3.5 billion registered accounts! The simple “Add Contact” flow scaled up to billions. Despite earlier warnings from 2017, Meta did not address the loophole until late this year.
The study also revealed that researchers leveraged the lack of rate limits on profile views for registered accounts on the Meta-owned platform, enabling them to scan large volumes of potential phone numbers to determine which were linked to user profiles. They described it as the most significant exposure of phone numbers and related profile data ever recorded, warning that in the wrong hands, it could pose a serious security risk.
Researchers from the University of Vienna and SBA Research discovered a flaw in WhatsApp’s contact discovery system that allowed them to enumerate approximately 3.5 billion phone numbers along with related profile data. Their findings, published on GitHub, outline the method used and expose a major security vulnerability in WhatsApp’s infrastructure.
The strategy took use of the fact that WhatsApp allows users to upload their phone book and immediately identify which contacts already had accounts. The researchers mechanised the process by routinely entering vast lists of potential phone numbers and monitoring whether or not each number was registered. Because the system did not impose adequate rate-limiting, they were able to verify tens of millions of numbers every hour.
Their findings indicate that more public metadata was available for several of the found numbers. Specifically, approximately 57% of the accounts featured profile photographs that were viewable to “everyone,” and roughly 29% included text in the profile’s “About” area.
Surprisingly, researchers found millions of accounts in countries where WhatsApp is banned. Using phone number ranges for China, Myanmar, and Iran, they discovered 2.3 million, 1.6 million, and over 60 million accounts, respectively. “Phone numbers were not designed to be used as secret identifiers for accounts, but that’s how they’re used in practice,” a researcher was quoted by Wired.
As reported by Wired, the researchers reached out to Meta regarding the enumeration vulnerability, which the company addressed in October. Meta stated that the exposed data was “basic publicly available information” and confirmed that no message content or private user data had been accessed.
This event is not about leaked messages or hacked servers, but it does highlight a larger issue: WhatsApp left a vital privacy door open for years. Even if Meta maintains there is no documented abuse, the sheer volume of accessible data raises serious concerns about user safety, spam, and targeted fraud. The patch was late, and the story serves as a reminder that convenience frequently comes at the expense of security unless businesses take privacy issues seriously before they grow.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
