Simple WhatsApp Security Flaw Exposed 3.5 Billion Phone Numbers

whatsapp

A newly revealed WhatsApp vulnerability has exposed the phone numbers of nearly every user worldwide. Security researchers discovered that a “simple” loophole in the platform’s contact discovery feature allowed them to extract 3.5 billion phone numbers, along with profile photos and other basic details.

The alarm is not only about the scale of the exposure. It is also about the fact that Meta was warned about this exact flaw back in 2017 and failed to deploy the minimal fix required to stop it.

A Feature That Became a Global Weak Point

WhatsApp’s growth has long been supported by an intuitive contact discovery system. Add a phone number, and the app instantly shows whether that person uses the service. Researchers realized that if you repeat this process billions of times with every possible number, the feature can be turned into a massive scraping tool that reveals the cell number and profile details of almost every WhatsApp user on the planet.

A researcher first flagged this loophole in 2017, pointing out that WhatsApp placed no limit on the number of contact checks a user could perform. Eight years later, a team from the University of Vienna proved the flaw was still unpatched.

Billions of Numbers Collected With Ease

The team needed only 30 minutes to gather 30 million US phone numbers. After that, they expanded their method and continued collecting numbers from around the world.

“To the best of our knowledge, this marks the most extensive exposure of phone numbers and related user data ever documented,” said Aljosha Judmayer, one of the researchers involved in the study.

The team responsibly deleted the data and notified Meta. According to the researchers, Meta took roughly six months to implement rate limits that would prevent similar mass scraping attempts in the future.

WhatsApp claims it was already developing anti-scraping protections and says that it has not found any signs that malicious actors exploited the flaw.

Meta’s Response

After publication, a Meta representative shared an official statement:

“We are grateful to the University of Vienna researchers for their responsible partnership and diligence under our Bug Bounty program. This collaboration successfully identified a novel enumeration technique that surpassed our intended limits, allowing the researchers to scrape basic publicly available information. We had already been working on industry-leading anti-scraping systems, and this study was instrumental in confirming the efficacy of these new defenses. The researchers have securely deleted the data collected as part of the study, and we have found no evidence of malicious actors abusing this vector. User messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible.”

Source

Control F5 Team
Blog Editor
Relational Services
Web Applications
Dev Ops
Mobile Applications
MVP Development
Software Testing
UI / UX Design
OUR WORK
Case studies

We have helped 20+ companies in industries like Finance, Transportation, Health, Tourism, Events, Education, Sports.

 
AI Powered News Portal and Aggregation App
Web & Mobile Application Journalism
AI Powered News Portal and Aggregation App
Case Study
Data Computing Visualization Platform for Ernst & Young
Web Platform Financial
Data Computing Visualization Platform for Ernst & Young
Case Study
Suite of Applications for Fintech Trading Company
Suite of Applications Financial
Suite of Applications for Fintech Trading Company
Case Study
Reservation Platform For Travel Agency
Web Platform Travel
Reservation Platform For Travel Agency
Case Study
Online Road Tax Payment Platform
Web & Mobile Application Transportation
Online Road Tax Payment Platform
Case Study
Team Augmentation and Consultancy for A SaaS Company
Team Augmentation Hospitality
Team Augmentation and Consultancy for A SaaS Company
Case Study
Wedding Photographers And Videographers Marketplace
Marketplace Events
Wedding Photographers And Videographers Marketplace
Case Study
Portal & Online Magazine for Brides
Online Magazine Events
Portal & Online Magazine for Brides
Case Study
Custom eCommerce Solution for Cosmetics Company
Online Shop eCommerce
Custom eCommerce Solution for Cosmetics Company
Case Study
Web Application for Comparing Tariff Plans and Phone Offers
Web Application Telecom
Web Application for Comparing Tariff Plans and Phone Offers
Case Study
Dental Clinics Marketplace
Marketplace Health
Dental Clinics Marketplace
Case Study
Micro-services Solution for Hotel Reservation Agency for Realtime Pricing Update
Backend System Travel
Micro-services Solution for Hotel Reservation Agency for Realtime Pricing Update
Case Study
 
View all case studies
READY TO DO THIS
Let’s build something together
Contact us