3 Minutes
A recent discovery by Austrian security researchers reveals a worrying reality: for years it was trivially easy to confirm whether any phone number was registered on WhatsApp — and to pull some associated public profile data. The flaw affected roughly 3.5 billion accounts and highlights how a convenience feature can become a large-scale privacy risk.
No hack required — just the app's contact discovery
WhatsApp's growth is built on one simple mechanic: you connect with people by phone number. That same mechanism allowed researchers to enumerate accounts en masse. Rather than exploiting a software vulnerability, the team used WhatsApp Web like any regular user would — repeatedly attempting to add numbers and observing the service's responses.
By automating that process at scale, the researchers were able to check millions of entries per hour. Earlier this year they reported a peak rate of about 100 million phone numbers checked per hour. The result: phone numbers for approximately 3.5 billion WhatsApp users were discoverable. For about 57% of those accounts, the attackers could also see profile photos; for roughly 29%, the public profile text (the "About" line) was available.
Why this went unaddressed for so long
Meta — WhatsApp's parent company — had been warned about contact-discovery weaknesses before. A researcher raised concerns in 2017, but meaningful server-side protections were not implemented for several years. The Austrian team privately notified Meta in April. By October, Meta introduced rate-limiting to make mass enumeration far less practical. Still, the window of exposure was long enough that many malicious actors could have abused the mechanism.
What Meta says
Meta emphasized that the exposed details are "basic publicly available information" and that profile photos and About text were not accessible for users who had set those items to private. The company also stated it "found no evidence of malicious actors abusing this vector" and that the researchers did not access any non-public data.
What this means for users — and practical steps to protect yourself
Even if no widespread abuse has been proven, the episode is a reminder that features designed for convenience can leak sensitive information at scale. Here are sensible actions users can take right away:
- Review WhatsApp privacy settings: set Profile Photo and About to "My Contacts" or "Nobody" if you want to limit who can view them.
- Enable two-step verification on your WhatsApp account to add a PIN for additional protection.
- Be cautious about sharing your phone number publicly or on social platforms — that’s often the key identifier attackers need.
- Consider using a secondary number for services where you’re comfortable being discoverable.
- Keep apps and devices updated so you have the latest platform protections and fixes.
Contact discovery is a core feature of messaging apps, and completely disabling it would break the product for many people. Rate-limiting fixes make mass scraping much harder, but the incident underlines the need for companies to balance usability with robust, proactive protections. For users, conservative privacy settings and good account hygiene remain the best defenses.
Source: gsmarena
Leave a Comment