Researchers disclosed a WhatsApp flaw that exposed 3.5B accounts. Meta has patched it to prevent this mass enumeration.
A team of researchers at the University of Vienna found a WhatsApp flaw that could scrape 3.5 billion accounts. Meta has since patched the vulnerability to block this enumeration technique.
Users discover contacts by querying WhatsApp servers with phone numbers, allowing phone number enumeration. Despite standard rate limiting, researchers probed over 100 million numbers per hour without being blocked, revealing the platform’s vulnerability at scale. They discovered that nearly half of the numbers leaked in the 2021 Facebook breach remain active on WhatsApp.
“This architecture inherently enables phone number enumeration, as the service must allow legitimate users to query contact availability. While rate limiting is a standard defense against abuse, we revisit the problem and show that WhatsApp remains highly vulnerable to enumeration at scale.” reads the report published by the researchers. “In our study, we were able to probe over a hundred million phone numbers per hour without encountering blocking or effective rate limiting.”
Researchers developed a method to generate plausible mobile numbers for 245 countries, narrowing global candidates to 63 B. They analyzed 3.5 B WhatsApp accounts, including phone numbers, timestamps, profile pictures, about texts, and E2EE public keys, creating one of the largest datasets studied ethically. Comparing it to the 2021 Facebook scraping, composed of 500 M entries, half remain active, showing long-term impact. The team performed a population census, revealing account activity, device types, OS shares, and profile usage, highlighting the platform’s data visibility despite E2EE. They identified active accounts in banned regions (China, Myanmar, North Korea, Iran), showing bans’ ineffectiveness. The analysis of X25519 keys revealed extensive reuse and repeated one-time prekeys across devices, indicating insecure implementations or potential fraud. Some US numbers even used an all-zero private key, suggesting broken RNGs or non-standard software.
Meta attempted to downplay the problem, saying that no messages, contacts, or private data were exposed, and profile photos or “about” texts were visible only if users set them to “everyone.” The researchers reported the issue gradually across 2024–2025, but Meta said full technical details arrived only in August 2025. Mitigations began in early September, with further protections added in October.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Meta)
