Potentially Historic Massive Data Leak
Austrian researchers have revealed a mass enumeration vulnerability in WhatsApp that allowed the extraction of 3.5 billion user phone numbers. This finding highlights a security flaw in the app’s “contact discovery” feature, which, lacking strict rate limiting, allowed researchers to scrape a large portion of WhatsApp’s user base.
The method exploited by the researchers is based on how WhatsApp makes it easy to add contacts: when you enter a phone number, the platform instantly checks whether that number is registered and often displays the profile photo and associated name. By repeating this process billions of times using the browser-based WhatsApp app, researchers were able to collect phone numbers of almost all WhatsApp users in the world.
Scope of Data Exposure
The study, conducted by researchers at the University of Vienna, documented the following findings on the magnitude of exposure:
- Phone numbers: 3.5 billion phone numbers were extracted.
- Profile photos: The profile photos of 57% of those users were accessible.
- Profile text: The profile text of 29% of those users was accessible.
According to researchers, this incident represents “the most extensive exposure of phone numbers and related user data ever documented.” The researchers noted that despite previous warnings in 2017 about similar data exposure, WhatsApp’s parent company, Meta, had not limited the speed of contact discovery requests. This allowed researchers to check approximately one hundred million numbers per hour.
Goal Response and Implemented Solution
The researchers notified Meta about the finding in April through the bug bounty system. In October, Meta implemented a stricter “rate limiting” measure that prevents the bulk enumeration method used by researchers.
In its statement, Meta thanked the researchers and classified the exposed data as “basic public information” for users who had not adjusted their privacy settings to hide their profile. Nitin Gupta, vice president of engineering at WhatsApp, said the company was already working on industry-leading anti-scraping systems and that the study was instrumental in testing the effectiveness of these new defenses. Meta also noted that no evidence was found of malicious actors abusing this vector and reiterated that user messages remained private thanks to end-to-end encryption.
Conclusion
The WhatsApp enumeration vulnerability highlights the critical importance of privacy settings and the need for messaging platforms to implement robust rate-limiting measures to prevent mass data mining. While Meta has patched the vulnerability and found no evidence of malicious exploitation, the incident highlights how seemingly harmless features can be exploited to create large-scale data breaches.
To protect themselves from future exposure, users should review and adjust their privacy settings on WhatsApp to limit who can see their profile photo and status text.