New Delhi, India — A significant vulnerability in WhatsApp exposed personal information belonging to nearly 3.5 billion users, according to a new research report from the University of Vienna.
Researchers found a weakness in the platform’s contact discovery feature that allowed them to systematically test massive volumes of phone numbers and determine which ones were linked to active WhatsApp accounts. Meta, which owns the messaging service, was notified and has taken steps to address the issue.
Using an automated method, the research team generated more than 100 million queries per hour and gathered information from users in 245 countries.
The data obtained included details that are normally visible to anyone with a user’s phone number — such as public keys, profile photos, “about” text, and timestamps. However, the researchers said these pieces of information were enough to infer additional insights, including a user’s operating system, the length of time they had been on WhatsApp, and the number of linked devices.
What alarmed the researchers further was that a similar warning had been raised eight years earlier. In 2017, a security expert pointed out that WhatsApp did not limit how many phone number checks a user could perform, making large-scale data scraping possible. Despite that early alert, the flaw remained unpatched until the Vienna team demonstrated how easily it could be exploited.
During testing, the researchers were able to extract 30 million U.S. phone numbers within the first 30 minutes and continued collecting data without any server-level resistance.
In a statement to 9to5Mac, Meta said it appreciated the researchers’ effort in identifying the vulnerability. The company credited the team for uncovering a new enumeration method that bypassed existing safeguards. Meta added that it had already been developing advanced anti-scraping measures and that the findings helped validate the strength of newer protections. The company also confirmed that the researchers securely deleted the data and found no evidence of malicious exploitation. (Source: IANS)
