Researchers uncover WhatsApp vulnerability affecting 3.5 billion users

New Delhi: A major security vulnerability in WhatsApp reportedly exposed the personal details of nearly 3.5 billion users, according to research by the University of Vienna.

The researchers identified a weakness in WhatsApp’s contact discovery feature that allowed them to systematically check phone numbers and confirm active accounts on a massive scale. They generated over 100 million queries per hour using an automated method, ultimately gathering information from users in 245 countries.

Although the data accessed was limited to information already publicly visible to anyone with a phone number, such as profile photos, public keys, "about" text, and timestamps, the researchers noted that these fragments could reveal additional insights, including a user’s operating system, account age, and the number of linked devices.

The report highlighted that a similar warning was issued in 2017, when a researcher flagged the lack of limits on phone number checks, which allowed large-scale scraping. Despite that, the vulnerability persisted until the University of Vienna team demonstrated its potential for exploitation. During testing, they extracted 30 million U.S. phone numbers within the first 30 minutes.

Meta, WhatsApp’s parent company, acknowledged the researchers’ efforts in a statement to 9to5Mac. “We appreciate the researchers’ role in uncovering the vulnerability and credit them for identifying a novel enumeration technique that outsmarted our intended safeguards,” the company said.

Meta confirmed that the data had been securely deleted by the researchers and emphasised that it found no evidence of malicious exploitation. The company also said it had been working on advanced anti-scraping systems, and the study validated the effectiveness of these protections.