Vulnerability in WhatsApp exposed profiles of 3.5 billion users: Researchers confirm flaw in contact discovery API allowed mass scraping of phone numbers, profile photos, and status text

A team of IT security researchers from the University of Vienna and SBA Research has uncovered a severe privacy flaw in WhatsApp that allowed them to successfully enumerate and map the profiles of 3.5 billion active user accounts. That’s virtually the entire global user base.

The flaw exploited a weakness in WhatsApp's contact discovery API, the mechanism designed to help users find which of their phone book contacts are also on the platform. The researchers demonstrated that the service lacked effective rate-limiting, allowing them to check the registration status of over 100 million phone numbers per hour without being blocked.

The data harvest: Metadata is the target

While WhatsApp's core message content remains protected by end-to-end encryption, the flaw allowed the creation of the largest known database of verified active user accounts, harvesting crucial metadata:

• Phone numbers: Confirmation of 3.5 billion active WhatsApp accounts

• Public profile data: For millions of accounts, the researchers were able to collect profile photos, "About" text, and public encryption keys, all of which are visible if the user's privacy settings are set to "Everyone."

• Macroscopic insights: The collected data allowed the researchers to perform a "population census," revealing user distribution, device type shares (Android vs. iOS), and platform activity, including millions of active accounts in countries where WhatsApp is officially banned (e.g., China and Iran).

"The issue with enumeration vulnerabilities is not that encryption is broken. it is that platforms reveal too much through their metadata. A system doesn't need to be hacked to be exploited." Dr. Sofia Marel, a Cybersecurity expert, noted.

Risk of hyper-targeted attacks

The danger of this leak lies not in the exposure of private messages, but in the scale and utility of the public information collected. In the hands of malicious actors, this data provides the perfect foundation for hyper-targeted social engineering and phishing attacks:

• Impersonation: Profile photos and personal status text can be used to create highly convincing deepfakes and impersonation attempts.

• SIM-swapping: A validated, active phone number is a critical component in coordinating complex SIM-swap attacks to hijack accounts.

• Targeted scams: The data can be used to create detailed profiles on individuals, making scams and targeted fraud significantly more effective.

The researchers also noted that nearly half of the phone numbers included in the massive 2021 Facebook data scraping incident remain active on WhatsApp, underscoring the long-lasting impact of such exposures.

Meta’s response

Meta, WhatsApp's parent company, confirmed it was informed of the vulnerability and has since taken corrective action, including implementing stricter rate-limiting and anti-scraping measures.

In a statement, Meta thanked the researchers for their responsible disclosure, noting, "This study was instrumental in stress-testing and confirming the immediate efficacy of [our] new defenses." The company emphasized that user messages remained secure and that the researchers had deleted the collected data.

The findings, however, underscore that even on platforms famed for their encryption, privacy risks can persist in the often-overlooked design of supporting features like contact discovery.