Caption – (Photo by Dima Solomin on Unsplash)
WhatsApp recently faced a major privacy concern after security researchers uncovered a flaw. It seems that an internal flaw in the Meta-owned app allowed the extraction of phone numbers and profile information of billions of users. Here’s more on that.
A research team from the University of Vienna disclosed that they successfully collected 3.5 billion phone numbers using what they termed a “simple” method that exploited WhatsApp’s contact-discovery feature. This mechanism is intended to check if a phone number is registered on the platform, but because WhatsApp had no effective rate limits, the system allowed millions of automated queries per hour.
By sending these automated checks, the researchers not only identified active WhatsApp accounts but also retrieved profile photos and status texts associated with many of them. They warned that if this flaw had been exploited by malicious entities, it could have resulted in the “largest data leak in history.”
According to the researchers, this vulnerability dates back to at least 2017. The timeline is also concerning since Meta had received warnings about similar privacy risks previously. WhatsApp’s contact-discovery tool, designed for convenience by syncing a user’s address book, inadvertently enabled large-scale data harvesting.
Meta acknowledged the flaw but suggested it stemmed more from an overlooked design choice than a technical bug. In a statement to Wired, WhatsApp’s vice president of engineering Nitin Gupta said, “This study was instrumental in stress-testing and confirming the immediate efficacy of (anti-scrapping) new defences We have found no evidence of malicious actors abusing this vector. As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers.”
Meta has since added rate limits to prevent excessive querying of WhatsApp numbers. The company also stated that only publicly accessible information was exposed due to the flaw. Public information on WhatsApp includes phone numbers, name and profile photos.
The researchers further revealed that they used WhatsApp Web to submit high-volume contact-discovery requests, managing to scrape millions of entries every hour. They found that profile photos were visible for about 57% of the identified accounts, while profile text was accessible for 29%.
The method reportedly worked even in countries where WhatsApp is banned such as China, Iran, Myanmar, and North Korea.
Once the scale of the issue became clear, the researchers reported the flaw to Meta and deleted the scraped database after concluding their study. According to the report, Meta took roughly six months to implement a fix and introduce proper rate limits.
Answer. Researchers found that WhatsApp’s contact-discovery feature lacked rate limits, allowing automated queries to extract 3.5 billion phone numbers, profile photos, and status texts.
Answer. No. According to Meta, only publicly accessible information like phone numbers and profile photos was exposed. Messages remained secure due to end-to-end encryption.
Answer. Meta acknowledged the issue as a design oversight, not a bug, and has since implemented rate limits to prevent mass data scraping. The flaw reportedly existed since 2017.
Highlights SpaceX acquired xAI in a $1.25 trillion all‑stock deal, combining AI research with space…
Highlights Galaxy Tab S12 Ultra (SM‑X946B) and Tab S12+ (SM‑X846B) appeared on the GSMA IMEI…
Highlights Samsung is preparing 3.6 million Galaxy S26 Ultra units, nearly six times more than…
Highlights Leaked listing shows the Infinix Note 60 in 8GB/128GB and 8GB/256GB variants, Note 60…
Highlights India’s smartphone shipments grew just 1% YoY in 2025, but overall market value rose…
Highlights The iPhone Fold is tipped to feature a massive 5500mAh+ battery, the largest ever…
This website uses cookies.