WhatsApp: 3.5 billion phone numbers exposed by gaping vulnerability, “the most massive exposure ever documented”

Three researchers from the University of Vienna have just demonstrated the dizzying scale of a vulnerability that has been known since 2017. By exploiting the contact discovery system of WhatsAppthey managed to identify 3.5 billion active numbers on Meta messaging. For 57% of them, profile photos were accessible. For 29%, the presentation text was also.

A flaw reported for eight years

The process remains disarmingly simple: you just need to methodically test all possible numbers via the WhatsApp web application. Without strict rate limitation until last October, researchers managed to verify one hundred million numbers per hour. “In half an hour, we had already recovered around 30 million American numbers”says Gabriel Gegenhuber, one of the researchers. “We were quite surprised. So we continued.”

However, the Dutchman Loran Kloeze alerted Meta to this flaw in 2017, without obtaining any reward as part of the bug hunting program. Meta then justified that the privacy settings worked as expected, since everyone can choose to hide their profile. An argument that ignores the reality of practices: in India, where WhatsApp has nearly 750 million accounts, 62% publicly display their profile photo.

The implications go beyond simple commercial canvassing. Researchers identified 2.3 million Chinese numbers and 1.6 million Burmese numbers, two countries where WhatsApp remains banned. In China, Muslims have been arrested for simply having the app on their phones.
“According to our information, this constitutes the most massive exposure of telephone numbers and personal data ever documented”says Aljosha Judmayer.

Meta corrected the flaw last October, after notification from researchers in April, and claims to have not “found no evidence of malicious exploitation”.