Researchers have uncovered a WhatsApp privacy flaw that allowed them to discover the 3.5 billion mobile numbers using the app globally, and possibly infer the identities of some of the people behind them.
WhatsApp vulnerabilities are not new, but the scale of the discovery by a combined team from the University of Vienna and SBA Research, outlined in Hey there – You are using WhatsApp, marks this as one of the most embarrassing weaknesses yet in the world’s most widely-used communication app.
The vulnerability was in WhatsApp’s contact discovery mechanism, the foundation of how this and many similar apps work. When WhatsApp is installed, it asks for permission to match mobile numbers in a user’s local address book to corresponding numbers in WhatsApp’s central database. It then determines which of those address book users are also using WhatsApp.
The researchers discovered a way to abuse this enumeration mechanism to confirm the existence of the mobile numbers associated with WhatsApp across 245 countries, at a rate of over a hundred million per hour from a single IP address, something that rate limiting should make impossible.
In total, this allowed them to confirm that 3.5 billion mobile numbers are registered to the platform, significantly higher than previous estimates of between two and three billion.
This technique didn’t reveal who was using the mobile numbers, simply that the numbers were valid and being used by someone on WhatsApp. However, the researchers were also able to discover other data such as public (but not private) keys used for end-to-end encryption (E2EE), timestamps, the profile photo associated with a number, and users’ About text or business account profile.
Consequently, “by analyzing these data points, the IT security specialists were further able to infer metadata such as the user’s device operating system, the age of the account, and the number of linked secondary devices (e.g., WhatsApp Web),” said the researchers.
What use might an attacker make of such information? “Knowing whether a specific (mobile) phone number is linked to a messaging app is highly sensitive, especially when that number is tied to a known individual. In regions where certain messaging apps are banned (for example, in China or Myanmar), such information could carry serious consequences.”
In addition, being able to confirm that a mobile number is in active use could make it a target for spam, phishing, and robocalling. The researchers even discovered that 58% of the 530 million phone numbers leaked during the 2021 Facebook hack remain active on WhatsApp.
Unexpectedly for an app based on E2EE privacy, the researchers detected a small number of ‘public key collisions,’ which means that some users are using public-private key pairs to secure their conversations that are either incredibly weak (all zero) or not unique to their device. Any public key platform will express a tiny number of these on a random basis, but it’s also likely that accounts are somehow being manufactured by fraudsters in a way that bypasses normal account generation.
Slow response
These findings aren’t only of concern to consumers. WhatsApp is widely used inside businesses, both informally and via a cloud API that enables customer support, sales contact via a business account, and, increasingly, for e-commerce authentication.
The worry here is the potential for enumeration attacks to associate phone numbers with real users. The research suggests that, while this is not a trivial undertaking, it would be possible for a well-resourced attacker with an idea of who they were looking for.
According to the researchers, the findings are a reminder that while WhatsApp’s E2EE design protects message contents, the same is not true for metadata.
“Even mature and widely trusted systems can contain design or implementation flaws with real-world consequences. Security and privacy are not one-time achievements but must be continuously reassessed as technology evolves,” commented lead author Gabriel Gegenhuber.
SBA Research has published a statement from Meta thanking them “for their responsible partnership and diligence under our Bug Bounty program. This collaboration successfully identified a novel enumeration technique that surpassed our intended limits, allowing the researchers to scrape basic publicly available information,” it read.
Meta has now “implemented countermeasures such as rate-limiting and stricter visibility rules for profile information,” SBA Research confirmed.
Meta’s statement is curious, given that the research paper refers at length to Meta’s slow response after the team reported WhatsApp’s rate-limiting weakness, barely acknowledging the issue for a year after they were first told of it in September 2024.
If that’s not a one-off oversight, users should be concerned. Tech companies with the kind of resources that Meta has should jump on security and privacy issues as soon as they are reported. In this case, it seems the company was some way from that ideal.
Coincidentally, this week Meta announced that in the last year it has handed out $4 million in bug bounties to researchers reporting weaknesses in its platforms.
This isn’t the first time WhatsApp’s users’ mobile numbers have been compromised. A database of nearly 500 million WhatsApp mobile numbers was discovered on sale on the dark web in 2022.
And just after WhatsApp was reportedly banned from government-issued devices by a US House of Representatives official earlier this year over issues with the security of its data handling, a security vulnerability affected the WhatsApp Desktop for Windows application.
No Responses