A straightforward WhatsApp security flaw has exposed 3.5 billion phone numbers by entering tens of billions of phone numbers into WhatsApp’s contact discovery feature. Researchers uncovered the largest exposure of phone numbers to date, along with profile images and other information.  

The widespread adoption of WhatsApp can be attributed in part to the simplicity of locating a new contact on the messaging platform by adding a person’s phone number. WhatsApp immediately indicates whether the individual is using the service, often displaying their profile picture and name.  

When this same process is repeated billions of times across all possible phone numbers, it becomes evident that this feature also serves as a convenient means to obtain the cell numbers of nearly every WhatsApp user globally, along with, in many instances, their profile photos and identifying text. Consequently, this leads to a vast exposure of personal information for a considerable portion of the global population.  

A group of researchers from Austria has demonstrated that they successfully employed a straightforward method to verify every possible number in WhatsApp’s contact-discovery flaw, enabling them to extract phone numbers for 3.5 billion users on the messaging platform. They discovered that approximately 57% of these users could also access their profile pictures, and an additional 29% could access the text displayed on their profiles. Despite an earlier alert regarding WhatsApp’s vulnerability concerning this data issued by another researcher in 2017, they assert that the parent company, Meta, has yet to restrict the speed or quantity of contact discovery requests that the researchers could execute through WhatsApp’s web-based application, which permitted them to verify around 100 million numbers per hour.  

WhatsApp’s security flaws kick off the most significant data breaches in U.S. history.  

The outcome would be considered the most extensive data leak in history if it had not been compiled as part of a responsibly executed research study, as the researchers stated in a paper detailing their findings.  

To the best of our understanding, the WhatsApp enumeration bug represents one of the most significant exposures of phone numbers and associated user data ever recorded. States Aljoša Judmayer, a researcher from the University of Vienna, enrolled in the study.  

The researchers indicate that they chose Meta regarding their findings on phone number scraping of WhatsApp in April and subsequently deleted their copy of the 3.5 billion phone numbers. By October, the company had resolved the WhatsApp enumeration bug by implementing more stringent rate-limiting measures that inhibit the large-scale contact-discovery method used by the researchers. However, until that point, the data exposure could have been exploited by anyone employing the same scraping technique. Notes Max Gunther, another researcher from the university who co-authored the paper, “If we could retrieve this information so easily, others could have done the same,” he remarks.  

In a statement to WIRED, Meta expressed gratitude to the researchers who reported their findings to Meta’s Bug Bounty program and characterized the exposed data as basic publicly available information since profile photos and text were not disclosed for users who chose to keep them private. We had already been developing industrial-grade reading and anti-scraping technologies, and this study was crucial for stress-testing and validating the immediate effectiveness of these new defenses, writes Nitin Gupta, Vice President of Engineering at WhatsApp. Gupta, for the states, we found no evidence of malicious actors exploiting this vulnerability. As a reminder, user messages remain private and secure due to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers.  

Despite Meta’s characterization, the researchers assert that they neither bypassed nor encountered any defenses while phone number-scraping WhatsApp. Furthermore, this is not the first time WhatsApp has been alerted to the vulnerability of its phone numbers and related profile data. -As far back as 2017, Dutch researcher Loran Kloeze published a blog post highlighting the feasibility of the phone number enumeration technique, which could be utilized to acquire phone numbers, profile images, and the times when users were online.  

Kloeze illustrated a scenario in which data exposure could be integrated with facial recognition technology to build an extensive database of personally identifiable information. Now, that is quite alarming, isn’t it? He remarked that at the time, Meta (then known as Facebook) responded to his discoveries by claiming that WhatsApp’s privacy settings were functioning as intended. Users can restrict their profile information to selected contacts, and they even informed him that he was not eligible for a bug’s bounty for his efforts.  

When WIRED inquired about the rate-limiting measures Meta has implemented over the past eight years to thwart the technique demonstrated by Kloeze, the company replied that it was indeed establishing evolving defenses against scrapers, including rate limiting and machine-learning strategies to prohibit scrapers. Nevertheless, the researchers from the University of Vienna managed not only to access data akin to that obtained by Kloeze through their own enumeration method but also advanced the research by collecting all 3.5 billion registered WhatsApp phone numbers  significantly more than the service had in 2017. They also evaluated WhatsApp’s privacy claims by assessing the number of users who publicly revealed personal information in their profiles and categorized the results by country. They discovered that 44% of the 137 million phone numbers they gathered from Americans displayed photos, while 33% exhibited about text.  

How WhatsApp Contact Discovery Flaw Allowed Scraping of 3.5 Billion Numbers.  

WhatsApp’s contract discovery flaw enabled the scraping of around 3.5 billion user phone numbers due to inadequate rate limiting on the servers associated with this feature, which facilitated automatic large-scale queries.  

Under this law, the vulnerability represented a form of enumeration attack that exploited a fundamental function of the application.  

• Contact Discovery feature: WhatsApp is designed to let users quickly identify which contacts in their phone book are also registered on the platform. When a user uploads their contacts, the application verifies the submitted phone numbers against its user database.  

Lack of rate limiting, researchers from the University of Vienna and SBA Research discovered that WhatsApp failed to implement adequate restrictions on the number of phone number verifications a single user or IP address could execute within a specific timeframe.  

• Automated scraping: the researchers developed automated tools to generate large ranges of potential phone numbers and submit them to WhatsApp’s servers via the web interface, as there were no effective measures to block or slow down these requests. They were able to verify which numbers belonged to registered WhatsApp accounts at a rate exceeding 100 million queries per hour.  
• Data Collection: After a number was validated as an active user, the same method could be employed to collect accessible information linked to the account, including profile photos visible for 57% of identified accounts and about text/status messages visible for 29% of identified accounts.  

Timestamps and public keys inferred data, such as the user’s operating system and the number of linked devices.  

WhatsApp Security Flaw: What Users Should Do.  

WhatsApp claims to be deeply committed to transparency, and this source aims to help the wider technology community leverage the latest developments in its security initiatives. They recommend that all users keep WhatsApp up to date by updating it through their respective app stores and that they update their mobile operating systems whenever updates are available.