A significant WhatsApp vulnerability has been uncovered by a study from the University of Vienna, putting at risk personal information of nearly 3.5 billion users across the globe. This flaw, identified in the contact discovery feature of the application, enabled researchers to execute scans on every conceivable phone number, revealing active accounts in an unprecedented manner.
Meta, the parent company of WhatsApp, has been notified about this issue and has implemented corrective measures.
The study indicated that an automated approach allowed researchers to conduct over 100 million queries every hour. They gathered user data from 245 countries. Although the acquired details were only those visible to anyone with access to a phone number—such as profile images, public keys, “about” messages, and timestamps—the researchers pointed out that these pieces of information could lead to much deeper insights. They were able to deduce users’ operating systems, how long WhatsApp had been in use, and the number of devices tied to each account.
This discovery is particularly concerning since similar vulnerabilities had been flagged previously. In 2017, a security expert highlighted that WhatsApp had no effective limits on the number of phone number verifications a user could execute, effectively leaving a gap for mass data scraping. Despite this early warning, the vulnerability persisted until the University of Vienna team showcased just how easily it could be taken advantage of.
In their testing, the researchers amassed 30 million U.S. phone numbers in just the first half-hour and continued to extract data without any interruption from WhatsApp’s servers.
In a communication to 9to5Mac, Meta expressed gratitude to the researchers for bringing the issue to light and noted that they had identified a new enumeration method that circumvented existing protections. The company stated that it was already working on more sophisticated anti-scraping tools, and the findings from this study helped affirm the effectiveness of its latest defensive measures. Meta confirmed that the researchers had securely removed all obtained data and reported no indications of malicious exploitation of this vulnerability.
