A group of researchers from the University of Vienna and the SBA Research center has identified one vulnerability surprisingly simple within the function of WhatsApp contact discoverythe one that the app uses to verify if a number is registered on the platform.
By automating these requests without encountering any technical limitations, the scholars managed to build an archive with 3.5 billion telephone numbers coming from 245 countries. All this without hacking servers or bypassing end-to-end encryptionbut using a mechanism already provided by the app.
The attack didn’t require advanced techniques: it was enough systematically try sequences of telephone numbers. In addition to the presence of the account, the system returned information that WhatsApp makes public by default, such as profile photo (recovered in 57–59% of cases), personal statuses (about 29%), device type and public keys associated. The collection also revealed curious elements, such as active users in countries where the app is officially bannedincluding China, Myanmar and North Korea.
Privacy implications and overlooked precedents
The research has highlighted a problem that has been known for years: already in 2017 the possibility of enumerating WhatsApp accounts was reported, albeit in a limited form. Despite this, the platform has not introduced truly effective barriers against large-scale automated requests.
The researchers also highlighted collateral critical issues: around half of the numbers involved in the 2021 Facebook data leak are still active on WhatsApp and anomalies have been observed in the reuse of some cryptographic keysespecially from unofficial apps.
Meta’s response
Once the flaw was identified, the team destroyed the collected data and informed Halfwhich confirmed that it has taken measures to mitigate the problem. According to the company, there is no evidence that this vulnerability was exploited by malicious actors. Meta also reiterated the collaboration with scholars in his own field Bug Bounty Programrecognizing that the technique used exceeded the limits set for automatic requests. Despite the reassurances, the affair reopens the debate on the need for stricter controls and greater transparency on metadata management, especially considering that WhatsApp counts beyond that two billion users in the world.
