Caption – (Photo by Dima Solomin on Unsplash)
WhatsApp recently faced a major privacy concern after security researchers uncovered a flaw. It seems that an internal flaw in the Meta-owned app allowed the extraction of phone numbers and profile information of billions of users. Here’s more on that.
A research team from the University of Vienna disclosed that they successfully collected 3.5 billion phone numbers using what they termed a “simple” method that exploited WhatsApp’s contact-discovery feature. This mechanism is intended to check if a phone number is registered on the platform, but because WhatsApp had no effective rate limits, the system allowed millions of automated queries per hour.
By sending these automated checks, the researchers not only identified active WhatsApp accounts but also retrieved profile photos and status texts associated with many of them. They warned that if this flaw had been exploited by malicious entities, it could have resulted in the “largest data leak in history.”
According to the researchers, this vulnerability dates back to at least 2017. The timeline is also concerning since Meta had received warnings about similar privacy risks previously. WhatsApp’s contact-discovery tool, designed for convenience by syncing a user’s address book, inadvertently enabled large-scale data harvesting.
Meta acknowledged the flaw but suggested it stemmed more from an overlooked design choice than a technical bug. In a statement to Wired, WhatsApp’s vice president of engineering Nitin Gupta said, “This study was instrumental in stress-testing and confirming the immediate efficacy of (anti-scrapping) new defences We have found no evidence of malicious actors abusing this vector. As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers.”
Meta has since added rate limits to prevent excessive querying of WhatsApp numbers. The company also stated that only publicly accessible information was exposed due to the flaw. Public information on WhatsApp includes phone numbers, name and profile photos.
The researchers further revealed that they used WhatsApp Web to submit high-volume contact-discovery requests, managing to scrape millions of entries every hour. They found that profile photos were visible for about 57% of the identified accounts, while profile text was accessible for 29%.
The method reportedly worked even in countries where WhatsApp is banned such as China, Iran, Myanmar, and North Korea.
Once the scale of the issue became clear, the researchers reported the flaw to Meta and deleted the scraped database after concluding their study. According to the report, Meta took roughly six months to implement a fix and introduce proper rate limits.
Answer. Researchers found that WhatsApp’s contact-discovery feature lacked rate limits, allowing automated queries to extract 3.5 billion phone numbers, profile photos, and status texts.
Answer. No. According to Meta, only publicly accessible information like phone numbers and profile photos was exposed. Messages remained secure due to end-to-end encryption.
Answer. Meta acknowledged the issue as a design oversight, not a bug, and has since implemented rate limits to prevent mass data scraping. The flaw reportedly existed since 2017.
Highlights OnePlus 15T launched in China starting at CNY 4,299 (₹58,000) for 12GB+256GB. Key Features…
Highlights Redmi Note 15 SE 5G will debut in India on April 2, 2026 with…
Highlights Realme increased smartphone prices in India starting March 24, 2026, citing rising costs. Updated…
Highlights Vivo will unveil the X300 Ultra and X300s in China on March 30, expanding…
Highlights Huawei Mate 80 Pro Max Wind Edition was introduced in China at CNY 8,499…
Highlights Honor 600 and Honor 600 Pro leaked renders show a rear camera bar and…
This website uses cookies.