Researchers from Austria have revealed a significant security vulnerability within WhatsApp, leading to the exposure of approximately 3.5 billion phone numbers. By leveraging the app’s contact discovery tool, which enables users to find contacts rapidly, the researchers managed to enumerate phone numbers, revealing not just the numbers but, in many instances, associated profile photos and user metadata.
This discovery highlights a flaw that has persisted since at least 2017, when earlier warnings regarding similar vulnerabilities were issued. The group of researchers—including Aljosha Judmayer and Max Günther from the University of Vienna—demonstrated that WhatsApp’s parent company, Meta, had not effectively limited the rate or number of queries to its contact discovery feature. Their method allowed them to check up to 100 million numbers every hour.
The researchers initially contacted Meta about their findings in April and subsequently deleted the extensive database they compiled. By October, Meta implemented a stricter “rate-limiting” measure to address the issue. However, Günther cautioned that this vulnerability could have been exploited by others using the same technique before Meta acted.
Meta referred to the exposed data as “basic publicly available information,” asserting that profile pictures and content were only visible to users who had not taken steps to restrict their privacy settings. The company expressed appreciation to the researchers for bringing the issue to light through its bug bounty program.
Despite Meta’s reassurances, the researchers contended they did not face any security measures in their data gathering. Their research significantly extends the precedent set by prior warnings, indicating an ongoing issue with phone number enumeration in WhatsApp. In their analysis, they noted staggering rates of public exposure: 44% of American phone numbers displayed publicly available profile photos, while figures were even higher (62%) in India.
The University of Vienna team stumbled upon this vulnerability while investigating how WhatsApp handles user data, even under its end-to-end encryption protocol. Without any apparent rate-limiting protections, they quickly accumulated vast amounts of data, which raised concerns about the implications for privacy and potential misuse by spammers and scammers.
Moreover, the research uncovered that certain accounts used duplicate cryptographic keys, a potential security risk if multiple users are co-opted into sharing the same key.
This research underscores an inherent flaw in using phone numbers as unique identifiers in platforms with massive user bases, suggesting that alternative identifiers like usernames might significantly improve privacy protection in the future.
The findings emphasize the need for improved data protection measures in large-scale applications like WhatsApp to ensure user privacy in an increasingly interconnected world.
