WhatsApp Vulnerability: Mass Collection of User Data

Researchers from the University of Vienna have uncovered a significant vulnerability in WhatsApp, enabling them to gather billions of users' phone numbers via the contact search mechanism. By simply iterating through numbers using the web version of the service, they managed to obtain over 3.5 billion records, effectively creating a database of phone numbers for most users on the platform. This information was reported by Wired.
In addition to phone numbers, the researchers were able to download profile avatars for 57% of accounts and public profile text for 29%, as this information is displayed by WhatsApp to anyone who adds a number to their contacts. The team reported the issue to Meta in April 2025 and deleted the collected data. In October, the company implemented stricter request rate limits to close the potential for mass checks.
Meta stated that it found no evidence of malicious use of this technique, claiming that the reported information was "basic public data". However, the researchers emphasize that they did not bypass any protections – such measures simply did not exist. A similar vulnerability was described by another researcher back in 2017, but it was never addressed.
The analysis also revealed a significant number of accounts with publicly available information. For instance, among 137 million numbers from the USA, 44% had open photos. In India, where WhatsApp is most popular, this figure reached 62%.
Researchers believe that databases of this scale could be of interest to spam campaigns or governments in countries where WhatsApp is blocked. Among the collected data, they found 2.3 million numbers from China and 1.6 million from Myanmar, which could pose risks to users in those countries.
The team also discovered repeated cryptographic keys in some accounts – this may indicate the use of unofficial WhatsApp clients, particularly by those engaged in fraud.
The researchers conclude that the main problem lies in using the phone number as a universal identifier. It was not designed to be a private or unique key, yet in WhatsApp, it serves as the basis for searching and verifying accounts. Meta is already testing a system of usernames as an alternative.