Researchers from the University of Vienna and SBA Research uncovered a severe privacy vulnerability within WhatsApp’s contact discovery feature, resulting in one of the most significant weaknesses yet for the world’s largest communication app. This mechanism, which normally matches a user’s address book numbers to the central WhatsApp database, was abused to confirm the existence of mobile numbers registered to the platform. By developing a method that bypassed the intended rate limiting, the team was able to enumerate over a hundred million numbers per hour from a single source, ultimately confirming a staggering 3.5 billion active mobile numbers—substantially higher than earlier public estimates.
While the technique did not immediately expose the identities of the users, it successfully verified that the numbers were valid and active on WhatsApp. Furthermore, the researchers were able to harvest other crucial data points, including users’ public keys for end-to-end encryption (E2EE), profile photos, “About” texts, and timestamps. By analyzing this collected information, the IT security specialists could deduce sensitive metadata such as the user’s device operating system, the age of the account, and the number of linked secondary devices, like those using WhatsApp Web.
The implications of this large-scale data exposure are serious, extending beyond simple data leakage. Knowing whether a specific mobile number is linked to a messaging app can be highly sensitive, especially for known individuals in politically volatile areas where certain apps, like WhatsApp, are banned. This confirmed status of active use makes the numbers prime targets for spam, phishing, and automated calls. Disturbingly, the research also revealed that 58% of the mobile numbers leaked during the 2021 Facebook hack remain in active use on the WhatsApp platform.
The findings raise concerns not just for individual users but also for businesses that rely on WhatsApp for customer support, sales, and e-commerce authentication via its cloud API. The potential for determined and well-resourced attackers to use these enumeration methods to associate specific phone numbers with real-world users is a key worry. Moreover, the researchers detected an unexpected small number of ‘public key collisions,’ where accounts were using weak or non-unique public-private key pairs, suggesting possible manufacturing or fraudulent account generation that bypasses the app’s normal security measures.
The research serves as a critical reminder that while WhatsApp’s E2EE architecture effectively protects the content of messages, it provides insufficient protection for metadata. According to lead author Gabriel Gegenhuber, even mature, trusted systems can contain flaws, and security and privacy must be viewed not as a one-time achievement but as a continuous reassessment process as technology evolves. The slow response to these findings underscores the need for continuous vigilance in protecting user data against sophisticated enumeration attacks.
Reference:
