Researchers discover security vulnerability in WhatsApp

Apparently, this bug (which was since fixed) involves the contact discovery feature on WhatsApp being used to identify billions of WhatsApp users. Less of a security bug per say but a dangerous privacy vulnerability for sure.

IT-Security Researchers from the University of Vienna and SBA Research identified and responsibly disclosed a large-scale privacy weakness in WhatsApp’s contact discovery mechanism that allowed the enumeration of 3.5 billion accounts. In collaboration with the researchers, Meta has since addressed and mitigated the issue. The study underscores the importance of continuous, independent security research on widely used communication platforms and highlights the risks associated with the centralization of instant messaging services. The preprint of the study has now been published, and the results will be presented in 2026 at the Network and Distributed System Security (NDSS) Symposium.

WhatsApp’s contact discovery mechanism can use a user’s address book to find other WhatsApp users by their phone number. Using the same underlying mechanism, the researchers demonstrated that it was possible to query more than 100 million phone numbers per hour through WhatsApp’s infrastructure, confirming more than 3.5 billion active accounts across 245 countries. “Normally, a system shouldn’t respond to such a high number of requests in such a short time — particularly when originating from a single source,” explains lead author Gabriel Gegenhuber from the University of Vienna. “This behavior exposed the underlying flaw, which allowed us to issue an effectively unlimited requests to the server and, in doing so, map user data worldwide.”

The accessible data items used in the study are the same that are public for anyone who knows a user’s phone number and consist of: phone number, public keys, timestamps, and, if set to public, about text and profile picture. From these data points, the researchers were able to extract additional information, which allowed them to infer a user’s operating system, account age, as well as the number of linked companion devices. The study shows that even this limited amount of data per user can reveal important information, both on macroscopic and individual levels.

Don’t forget to disable contact syncing if you don’t need it. I swear this is something so commonly exploited even by social media platforms.

Our GrapheneOS who art in Github,
hallowed be thy repository.
Thy releases come.
Thy hardened_malloc be done
on stable as it is in prod.
Give us this day our daily patch,
and forgive us our bug reports,
as we forgive those who ask-dumb-questions-without-using-the-forum-search-first-I-mean-it’s-right-there,
and lead us not into data leaks,
but deliver us from bad OPSEC.
For thine is the open source project and the security, and the privacy,
forever and ever.

Amen

Quite a bad one and adding another reason of not using WhatsApp I guess.
Quite shocked that there is nothing as some basic rate limiting there…

Not even sure if adding rate limiting is a true solution. Someone with enough dedication could still do it.

There is a difference between implementing some basic rate limiting (trying to do things kinda decent) and not caring at all tho.

Especially when you hold the data of billions of people and got enough budget to allocate dev workforce on it.

What about this is a vulnerabilty? Honestly this seems exactly as desiged. Also not seeing any problem in it tbqh.

Number uses whatsapp is as normal as “wow a unknown phone number, what if i call it”