WhatsApp's immense global popularity is partly due to the ease of finding contacts through phone numbers. However, this convenience came with a significant privacy risk. Until recently, anyone – including malicious hackers – could effortlessly obtain the phone numbers of all WhatsApp users on the platform.
Researchers from Austria uncovered this vulnerability by extracting phone numbers for approximately 3.5 billion WhatsApp users worldwide. In addition to the phone numbers, they accessed profile photos for about 57% of these accounts and profile text information for nearly 29%.
The researchers did not use any complex hacking techniques. Instead, they exploited WhatsApp’s own contact discovery mechanism on WhatsApp Web, which reveals if a number is registered and displays profile information once a contact is added.
By automating this process on a large scale, they scanned roughly 100 million phone numbers per hour earlier this year. Despite Meta, WhatsApp’s parent company, being warned about the vulnerability as far back as 2017, no effective mitigation was put in place until recently.
After the Austrian team reported their findings in April, Meta finally introduced rate-limiting in October, restricting mass attempts to discover accounts. Unfortunately, this protective measure came long after millions of phone numbers and user profiles were theoretically accessible to anyone on the internet.
Meta emphasized that the exposed data consisted only of publicly available information and that users who chose to keep their profile photos or status private were not affected. The company also stated that no evidence suggests any malicious exploitation of the flaw and confirmed that non-public data remained secure.
