A simple security flaw makes it possible to collect the phone numbers associated with every WhatsApp user, according to new research from the University of Vienna. The flaw potentially impacts about 3.5 billion WhatsApp accounts, covering the total estimated active user base.
The method was disclosed to WhatsApp owner Meta via its bug bounty program and addressed before publication of the paper. However, the simple “brute force” enumeration trick was available to anyone to exploit for at least a year and would also expose profile photos and text for users that did not have the appropriate privacy settings enabled.
Security flaw was exploitable until rate limiting measures were tuned up in October
As the report notes, WhatsApp is the world’s biggest messaging platform and nearly half of the total estimated global population count is thought to have an active account. Some of those are likely fake or multiple accounts, but the platform processes a total of about 150 billion messages per day worldwide.
The security flaw involves the app’s “contact discovery” feature. When a user first installs the app, they are prompted to optionally give it access to their address book to look up contacts that are already on WhatsApp; this is done via the phone numbers associated with their account. This will not only confirm that a WhatsApp account is registered to that number, but can provide profile information if the user’s security settings allow it.
Simply confirming that numbers are linked to WhatsApp accounts can be a security risk. Confirming that a number is registered and active makes it more valuable and more of a priority to spammers, scammers and hackers. It can also expose someone using the app in a country where it is banned, a situation common to political dissidents and journalists communicating with sources. However, if the user has not altered their privacy settings to be less permissive this search may also return their photo and text from their profile.
WhatsApp has cited this feature as being key to its massive growth, so taking it off the table is not an option for them. But securing it while retaining its function and convenience is a major challenge. As the researchers note, the only realistic option for containing this security flaw is rate limiting of queries. However, they found that existing rate limiting measures prior to October of this year were wholly insufficient to stop “dictionary” enumeration attacks that simply try every possible phone number in sequence. In fact, the researchers had performed a similar “white hat” testing attack in 2019 and found that none of the IP addresses or WhatsApp accounts they previously used had been blocked or throttled in any way.
The researchers developed a “novel” approach to enumerating these WhatsApp accounts (at a rate of about 7,000 numbers per second), and a spokesperson for Meta said that there is presently “no evidence” any threat actors had scraped the service in a similar way. However, the researchers note that if threat actors had used the same approach it would be the largest data breach by record count in history (exceeding the prior 2021 Facebook scraping incident by a factor of five).
Over half of WhatsApp accounts had profile pictures exposed
Though it comes down to individual security settings, 57% of the WhatsApp accounts had their profile photos exposed this way and 29% had profile text exposed. About two-thirds of the profile pictures were recognizable human faces. The researchers warned Meta about the security flaw in April of this year, but stricter rate limiting that makes it much more difficult to pull off was not implemented until October. Meta’s statements thus far have downplayed the incident, saying that in addition to finding no evidence of threat actors abusing the security flaw it only exposed what they called “basic publicly available information.” The researchers say that Meta did not agree to speak to them directly on a conference call until it was supplied with a pre-print of the research paper and informed of their imminent intent to publish.
This all comes after similar security flaws have been exposed by researchers, one dating back over 10 years. Two researchers, one in 2012 and another in 2020, developed and demonstrated smaller-scale methods for scraping WhatsApp accounts in a similar way. And in 2017, Dutch researcher Loran Kloeze wrote a blog post about a theoretical approach similar to the one these researchers ultimately used. The present-day researchers say that all of these prior warnings, including their own 2019 experiment, did not lead to meaningful security improvements to address the possibility of this kind of mass scraping.
WhatsApp has also recently made security news for the Water Saci self-propagating malware campaign, which is able to hijack active web sessions and send malicious ZIP files to all contacts. The company also recently was granted an injunction barring Israeli spyware firm NSO Group from targeting its users.

