WhatsApp had a massive flaw that put phone number of 3.5 billion users at risk

A serious security vulnerability in WhatsApp has put the phone numbers of approximately 3.5 billion users at risk, as revealed by researchers from the University of Vienna. The study highlighted that the researchers were able to access profile photos of users in 57% of cases and text from user profiles in 29% of instances. Despite being informed of this flaw as early as 2017, WhatsApp and its parent company Meta failed to implement necessary safeguards. The researchers cautioned that had this data been exploited by malicious individuals, it could have resulted in the largest data breach ever recorded, surpassing the 2021 incident involving Facebook, which compromised around 500 million records. The dataset in question includes phone numbers, timestamps, profile texts, profile pictures, and public keys used for end-to-end encryption, all of which could have serious ramifications for the affected users. Aljosha Judmayer, one of the lead researchers, emphasized the unprecedented scale of this exposure, stating, "To the best of our knowledge, this marks the most extensive exposure of phone numbers and related user data ever documented." The researchers initially alerted WhatsApp to the vulnerability in April 2025. While the company was slow to respond, it eventually collaborated with the researchers to address the issue, implementing stricter rate-limiting measures by October. WhatsApp's contact discovery feature, which allows users to see which of their contacts use the app by uploading their address books, was exploited due to the lack of effective rate-limiting, enabling the scanning of large blocks of phone numbers. Once a number was confirmed on WhatsApp, the loophole permitted access to other publicly available information such as profile pictures, profile text, device types, and linked devices. Meta acknowledged the security flaw, thanking the University of Vienna researchers for their responsible handling of the situation. A spokesperson stated, "This collaboration successfully identified a novel enumeration technique that surpassed our intended limits, allowing the researchers to scrape basic publicly available information." They assured that they are continuously working on enhancing anti-scraping measures and confirmed that no evidence of malicious abuse of this vulnerability has been found. Furthermore, they reiterated that user messages remain secure and private due to WhatsApp's end-to-end encryption, ensuring no non-public data was accessed in the research process.