Security researchers have uncovered a significant vulnerability in WhatsApp that made it possible for anyone to scrape the phone numbers of up to 3.5 billion users worldwide. This flaw, which had been overlooked for years, allowed attackers to collect not only phone numbers but also profile pictures and status texts from millions of accounts. Here’s what happened and what you need to know to stay safe.
A Simple Yet Alarming Method to Collect Billions of WhatsApp Numbers
WhatsApp’s contact discovery feature lets users check if a phone number is registered on the platform by simply searching for it. If the number is registered, WhatsApp shows the user’s profile picture and name. Researchers at the University of Vienna exploited this by programmatically changing phone number sequences to query billions of numbers without restrictions.
Surprisingly, WhatsApp did not have any rate-limiting controls in place to block such mass queries, enabling the researchers to extract about 30 million U.S. numbers within half an hour. Eventually, their database grew to include approximately 3.5 billion phone numbers globally. Moreover, since over half of these users had their privacy settings allowing profile pictures to be visible to everyone, the researchers easily harvested those images as well. Profile status texts were accessible for nearly a third of these accounts.
A Flaw Known but Ignored for Years
What’s more concerning is that Meta, WhatsApp’s parent company, had been informed about this vulnerability as early as 2017 by a different group of researchers. Despite the warning, no notable measures were implemented to prevent abuse of the contact discovery feature until very recently. This prolonged inaction raises questions about how many malicious actors may have exploited the flaw during this period.
In April of the current year, the Austrian team submitted their findings to Meta to highlight the severity of the problem. Prompted by this new report, Meta finally introduced stricter rate-limiting protections in October, effectively preventing mass-scale scraping of WhatsApp numbers going forward. The research team has since securely deleted the vast database they compiled to uphold user privacy.
How WhatsApp Compares to Its Competitors
Unlike WhatsApp, competitors such as Signal have built-in safeguards like rate limiting to prevent large-scale contact enumeration. Signal prioritizes user privacy by design, blocking attempts to abuse the contact discovery process. This incident further emphasizes the necessity of strong privacy protections in messaging apps.
Security Worries Extend Beyond WhatsApp
This isn’t the first time Meta’s platforms have suffered from major data leaks. In 2021, the personal information of over 530 million Facebook users was leaked online, using a similar tactic of searching profiles by phone number to harvest user data. These recurring issues highlight ongoing security challenges within Meta’s ecosystem.
A Personal Take on Security
WhatsApp offers many features and strong end-to-end encryption but remains vulnerable to privacy exploits like this one. Due to these concerns and WhatsApp’s data collection habits, many users, including security-conscious ones, are switching to alternatives like Signal. Signal collects minimal data and includes privacy-enhancing features such as call relay—which hides your IP during calls—and screen protection to block screenshots of conversations.
