{"id":5870,"date":"2025-11-19T22:00:35","date_gmt":"2025-11-19T22:00:35","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5870"},"modified":"2025-11-19T22:00:35","modified_gmt":"2025-11-19T22:00:35","slug":"whatsapp-flaw-allowed-discovery-of-the-3-5-billion-mobile-numbers-registered-to-the-platform","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5870","title":{"rendered":"WhatsApp flaw allowed discovery of the 3.5 billion mobile numbers registered to the platform"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Researchers have uncovered a WhatsApp privacy flaw that allowed them to discover the 3.5 billion mobile numbers using the app globally, and possibly infer the identities of some of the people behind them.<\/p>\n<p>WhatsApp vulnerabilities are not new, but the scale of the discovery by a combined team from the University of Vienna and SBA Research, outlined in <a href=\"https:\/\/github.com\/sbaresearch\/whatsapp-census\/blob\/main\/Hey_there_You_are_using_WhatsApp.pdf\" target=\"_blank\" rel=\"noopener\"><em>Hey there \u2013 You are using WhatsApp<\/em><\/a>, marks this as one of the most embarrassing weaknesses yet in the world\u2019s most widely-used communication app.<\/p>\n<p>The vulnerability was in WhatsApp\u2019s contact discovery mechanism, the foundation of how this and many similar apps work. When WhatsApp is installed, it asks for permission to match mobile numbers in a user\u2019s local address book to corresponding numbers in WhatsApp\u2019s central database. It then determines which of those address book users are also using WhatsApp.<\/p>\n<p>The researchers discovered a way to abuse this enumeration mechanism to confirm the existence of the mobile numbers associated with WhatsApp across 245 countries, at a rate of over a hundred million per hour from a single IP address, something that rate limiting should make impossible.<\/p>\n<p>In total, this allowed them to confirm that 3.5 billion mobile numbers are registered to the platform, significantly higher than previous estimates of between two and three billion.<\/p>\n<p>This technique didn\u2019t reveal who was using the mobile numbers, simply that the numbers were valid and being used by someone on WhatsApp. However, the researchers were also able to discover other data such as public (but not private) keys used for end-to-end encryption (E2EE), timestamps, the profile photo associated with a number, and users\u2019 <em>About<\/em> text or business account profile. \u00a0<\/p>\n<p>Consequently, \u201cby analyzing these data points, the IT security specialists were further able to infer metadata such as the user\u2019s device operating system, the age of the account, and the number of linked secondary devices (e.g., WhatsApp Web),\u201d said the researchers.<\/p>\n<p>What use might an attacker make of such information? \u201cKnowing whether a specific (mobile) phone number is linked to a messaging app is highly sensitive, especially when that number is tied to a known individual. In regions where certain messaging apps are banned (for example, in China or Myanmar), such information could carry serious consequences.\u201d<\/p>\n<p>In addition, being able to confirm that a mobile number is in active use could make it a target for spam, phishing, and robocalling. The researchers even discovered that 58% of the 530 million phone numbers leaked during the <a href=\"https:\/\/www.csoonline.com\/article\/534628\/the-biggest-data-breaches-of-the-21st-century.html\" target=\"_blank\" rel=\"noopener\">2021 Facebook hack<\/a> remain active on WhatsApp.<\/p>\n<p>Unexpectedly for an app based on E2EE privacy, the researchers detected a small number of \u2018public key collisions,\u2019 which means that some users are using public-private key pairs to secure their conversations that are either incredibly weak (all zero) or not unique to their device. Any public key platform will express a tiny number of these on a random basis, but it\u2019s also likely that accounts are somehow being manufactured by fraudsters in a way that bypasses normal account generation.<\/p>\n<h2 class=\"wp-block-heading\">Slow response<\/h2>\n<p>These findings aren\u2019t only of concern to consumers. WhatsApp is widely used inside businesses, both informally and via a cloud API that enables customer support, sales contact via a business account, and, increasingly, for e-commerce authentication.<\/p>\n<p>The worry here is the potential for enumeration attacks to associate phone numbers with real users. The research suggests that, while this is not a trivial undertaking, it would be possible for a well-resourced attacker with an idea of who they were looking for.<\/p>\n<p>According to the researchers, the findings are a reminder that while WhatsApp\u2019s E2EE design protects message contents, the same is not true for metadata.<\/p>\n<p>\u201cEven mature and widely trusted systems can contain design or implementation flaws with real-world consequences. Security and privacy are not one-time achievements but must be continuously reassessed as technology evolves,\u201d commented lead author <a href=\"https:\/\/www.linkedin.com\/in\/gabriel-gegenhuber\/\" target=\"_blank\" rel=\"noopener\">Gabriel Gegenhuber<\/a>.<\/p>\n<p><a href=\"https:\/\/www.sba-research.org\/2025\/11\/19\/researchers-discover-major-security-flaw-in-whatsapp\/\" target=\"_blank\" rel=\"noopener\">SBA Research has published a statement from Meta<\/a> thanking them \u201cfor their responsible partnership and diligence under our Bug Bounty program. This collaboration successfully identified a novel enumeration technique that surpassed our intended limits, allowing the researchers to scrape basic publicly available information,\u201d it read.<\/p>\n<p>Meta has now \u201cimplemented countermeasures such as rate-limiting and stricter visibility rules for profile information,\u201d SBA Research confirmed.<\/p>\n<p>Meta\u2019s statement is curious, given that the research paper refers at length to Meta\u2019s slow response after the team reported WhatsApp\u2019s rate-limiting weakness, barely acknowledging the issue for a year after they were first told of it in September 2024.<\/p>\n<p>If that\u2019s not a one-off oversight, users should be concerned. Tech companies with the kind of resources that Meta has should jump on security and privacy issues as soon as they are reported. In this case, it seems the company was some way from that ideal.<\/p>\n<p>Coincidentally, this week <a href=\"https:\/\/bugbounty.meta.com\/en-gb\/blog\/15th-anniversary-2025\/\" target=\"_blank\" rel=\"noopener\">Meta announced<\/a> that in the last year it has handed out $4 million in bug bounties to researchers reporting weaknesses in its platforms.<\/p>\n<p>This isn\u2019t the first time WhatsApp\u2019s users\u2019 mobile numbers have been compromised. A<a href=\"https:\/\/www.csoonline.com\/article\/574147\/500-million-whatsapp-mobile-numbers-up-for-sale-on-the-dark-web.html\" target=\"_blank\" rel=\"noopener\"> database of nearly 500 million WhatsApp<\/a> mobile numbers was discovered on sale on the dark web in 2022. <\/p>\n<p>And just after <a href=\"https:\/\/www.computerworld.com\/article\/4011838\/us-house-reportedly-bans-whatsapp-from-staffers-devices-over-security-concerns.html\" target=\"_blank\" rel=\"noopener\">WhatsApp was reportedly banned<\/a> from government-issued devices by a US House of Representatives official earlier this year over issues with the security of its data handling, a security vulnerability affected the <a href=\"https:\/\/www.csoonline.com\/article\/3958125\/whatsapp-plugs-bug-allowing-rce-with-spoofed-filenames.html\" target=\"_blank\" rel=\"noopener\">WhatsApp Desktop for Windows application<\/a>. <\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Researchers have uncovered a WhatsApp privacy flaw that allowed them to discover the 3.5 billion mobile numbers using the app globally, and possibly infer the identities of some of the people behind them. WhatsApp vulnerabilities are not new, but the scale of the discovery by a combined team from the University of Vienna and SBA [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5871,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5870","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5870"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5870"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5870\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5871"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5870"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5870"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5870"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}