A research team at the University of Vienna has uncovered a major vulnerability in WhatsApp that exposed personal details of nearly 3.5 billion users through the platform’s contact discovery feature.
Although Meta has since resolved the issue, the scale of the exposure has raised concerns about long-standing gaps in the app’s security safeguards.
The researchers revealed that the flaw allowed them to systematically test every possible phone number to identify active WhatsApp accounts.
Using an automated technique, they generated over 100 million queries per hour and eventually collected data from users across 245 countries.
The researchers retrieved only information normally visible to anyone with a phone number — such as profile photos, public keys, ‘about’ text and last-seen timestamps.
However, they found that even these fragments allowed them to infer deeper details, including the user’s operating system, account age and number of linked devices.
A Warning First Issued in 2017
What makes the discovery more concerning is that a similar weakness had been flagged as far back as 2017.
At the time, a security researcher warned that the absence of limits on checking phone numbers made mass scraping feasible.
Despite this early alert, the loophole remained unaddressed for eight years.
The University of Vienna team demonstrated how quickly the flaw could be exploited by extracting 30 million US phone numbers within just 30 minutes.
The researchers reported no technical resistance or throttling from WhatsApp’s servers throughout their testing.
Meta, the owner of WhatsApp, acknowledged the findings and thanked the researchers for exposing a ‘novel enumeration method’ that bypassed its intended protections.
The company said it had already been developing advanced anti-scraping tools, and the study helped validate the progress of these new systems.
In its statement, Meta confirmed that the researchers securely deleted the collected data.
It also emphasised that it found no evidence of malicious exploitation of the vulnerability in the real world.
Strengthening User Security
The incident highlights the challenges faced by large digital platforms in preventing mass data harvesting, particularly when features like contact discovery rely on phone number matching.
Cyber security experts say the study underscores the need for tighter rate-limiting, stronger authentication layers and more proactive vulnerability testing.
As WhatsApp continues to roll out updated anti-scraping defences, privacy researchers have noted that this episode serves as a reminder of the risks inherent in linking messaging identities to phone numbers — a practice widely criticised for enabling large-scale enumeration attacks.
Also Read: Jio Expands Gemini AI Access To All Unlimited 5G Users Nationwide
To read more such news, download Bharat Express news apps
