WhatsApp Security Flaw Exposed 3.5 Billion Active Accounts Across 245 Countries: Report

A major security vulnerability in WhatsApp exposed the personal information of nearly 3.5 billion users, according to researchers from the University of Vienna, Austria. The issue stemmed from a weakness in WhatsApp’s contact discovery feature, which the team reported to Meta, owner of the messaging platform.

The US tech giant has since taken steps to address and contain the problem. Researchers were able to use the simple method of checking every possible number in WhatsApp's contact discovery to extract 3.5 billion phone numbers.

By exploiting WhatsApp’s contact discovery mechanism, the researchers were able to send more than 100 million queries per hour, ultimately extracting over 3.5 billion active accounts across 245 countries.

The data accessed during the study consisted only of information already publicly visible to anyone with a user’s phone number. This included phone numbers, public keys, timestamps, and, if set to public, profile photos and “about” text.

Even so, the researchers were able to derive further insights, such as a user’s operating system, the age of their account and the number of companion devices linked to it. The findings show that even small amounts of publicly accessible data can reveal far more than expected.

According to 9to5Mac, the researchers said that if the same flaw had been exploited by malicious actors, it could have resulted in “the largest data leak in history.” What makes the lapse more serious is that Meta was first alerted to the issue more than eight years ago by another security researcher, yet the company did not put in place the simple fix that would have prevented it.

A security researcher first discovered in 2017 that WhatsApp placed no cap on the number of checks a user could run for phone numbers, a basic oversight that made large-scale scraping possible.

Now, eight years later, researchers from the University of Vienna found the same flaw still wide open and used it to harvest the phone numbers of almost every WhatsApp user. It took them just 30 minutes to pull in the first 30 million US numbers, and from there, the data collection continued without resistance, the 9to5Mac report added.

Meta told 9to5Mac that it appreciated the researchers’ role in uncovering the issue. The company said it was “grateful to the University of Vienna researchers for their responsible partnership and diligence under our Bug Bounty programme,” stressing that the team had exposed “a novel enumeration technique that surpassed our intended limits.”

Meta added that it had already been developing “industry-leading anti-scraping systems,” and said the study had helped “stress-test and confirm the immediate efficacy of these new defences.” According to the company, the researchers “securely deleted the data collected,” and Meta has “found no evidence of malicious actors abusing this vector.”

The company added that WhatsApp’s core security features were not compromised, saying that “user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption,” and that no sensitive or non-public information was ever accessible to the researchers.