Caption – (Photo by Dima Solomin on Unsplash)
WhatsApp recently faced a major privacy concern after security researchers uncovered a flaw. It seems that an internal flaw in the Meta-owned app allowed the extraction of phone numbers and profile information of billions of users. Here’s more on that.
A research team from the University of Vienna disclosed that they successfully collected 3.5 billion phone numbers using what they termed a “simple” method that exploited WhatsApp’s contact-discovery feature. This mechanism is intended to check if a phone number is registered on the platform, but because WhatsApp had no effective rate limits, the system allowed millions of automated queries per hour.
By sending these automated checks, the researchers not only identified active WhatsApp accounts but also retrieved profile photos and status texts associated with many of them. They warned that if this flaw had been exploited by malicious entities, it could have resulted in the “largest data leak in history.”
According to the researchers, this vulnerability dates back to at least 2017. The timeline is also concerning since Meta had received warnings about similar privacy risks previously. WhatsApp’s contact-discovery tool, designed for convenience by syncing a user’s address book, inadvertently enabled large-scale data harvesting.
Meta acknowledged the flaw but suggested it stemmed more from an overlooked design choice than a technical bug. In a statement to Wired, WhatsApp’s vice president of engineering Nitin Gupta said, “This study was instrumental in stress-testing and confirming the immediate efficacy of (anti-scrapping) new defences We have found no evidence of malicious actors abusing this vector. As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers.”
Meta has since added rate limits to prevent excessive querying of WhatsApp numbers. The company also stated that only publicly accessible information was exposed due to the flaw. Public information on WhatsApp includes phone numbers, name and profile photos.
The researchers further revealed that they used WhatsApp Web to submit high-volume contact-discovery requests, managing to scrape millions of entries every hour. They found that profile photos were visible for about 57% of the identified accounts, while profile text was accessible for 29%.
The method reportedly worked even in countries where WhatsApp is banned such as China, Iran, Myanmar, and North Korea.
Once the scale of the issue became clear, the researchers reported the flaw to Meta and deleted the scraped database after concluding their study. According to the report, Meta took roughly six months to implement a fix and introduce proper rate limits.
Answer. Researchers found that WhatsApp’s contact-discovery feature lacked rate limits, allowing automated queries to extract 3.5 billion phone numbers, profile photos, and status texts.
Answer. No. According to Meta, only publicly accessible information like phone numbers and profile photos was exposed. Messages remained secure due to end-to-end encryption.
Answer. Meta acknowledged the issue as a design oversight, not a bug, and has since implemented rate limits to prevent mass data scraping. The flaw reportedly existed since 2017.
Highlights Upcoming Phones in July 2026 - OPPO Reno 16, Oppo Reno 16C, Nothing Phone…
Highlights Leaks reveal box MRPs of OPPO Reno 16 as ₹89,999 and Oppo Reno 16C…
Highlights Leak reveals OnePlus N6 retail box contents: Fresh Mint variant, pre-installed screen protector, 45W…
Highlights Vivo X Fold 6 launched in China with Dimensity 9500 Super Edition chip, 7,000mAh…
Highlights POCO M7 Pro, Samsung Galaxy M17 5G, Samsung Galaxy M17e 5G, vivo Y11 5G…
Highlights Realme revises prices of 16 series smartphones in India effective June 26, 2026 citing…
This website uses cookies.