Security researchers from the University of Vienna exposed a critical **vulnerability** in WhatsApp’s contact discovery mechanism, enabling the enumeration of **3.5 billion phone numbers globally** by exploiting weak rate-limiting protections. The flaw allowed attackers to query **63 billion candidate numbers** across 245 countries, retrieving not just phone numbers but also **public profile pictures (77M from US users, 66% with detectable faces), status messages, business account details, device information, encryption keys, and timestamps**.The breach posed severe risks, particularly in **banned regions** (e.g., 2.3M active accounts in China, 1.6M in Myanmar, 59M in Iran), where users could face **government surveillance or legal repercussions**. Cross-referencing with the **2021 Facebook leak** revealed that **50% of exposed numbers remained active**, highlighting persistent threats like **spam, phishing, and robocalls**. While WhatsApp mitigated the issue post-disclosure (e.g., rate-limiting, restricting profile picture access), the incident underscored systemic privacy risks in centralized platforms, where **convenience features become attack vectors at scale**. End-to-end encryption for messages remained intact, but the **mass exposure of metadata and linked identities** created long-term surveillance and targeting risks.
Source: https://cyberpress.org/whatsapp-vulnerability/
WhatsApp cybersecurity rating report: https://www.rankiteo.com/company/whatsapp.
"id": "WHA2002220112025",
"linkid": "whatsapp.",
"type": "Vulnerability",
"date": "6/2021",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '3.5 billion (all users with '
'phone numbers exposed; 77 '
'million US profile pictures '
'downloaded)',
'industry': 'Technology / Social Media',
'location': 'Global',
'name': 'WhatsApp (Meta Platforms, Inc.)',
'size': '3.5 billion users',
'type': 'Messaging Platform'},
{'customers_affected': '62.9 million (potential '
'surveillance/legal risks)',
'location': ['China (2.3M accounts)',
'Myanmar (1.6M accounts)',
'Iran (59M accounts)'],
'name': 'Users in Restricted Regions',
'type': 'Individuals'}],
'attack_vector': ['API Abuse',
'Weak Rate Limiting',
'Reverse-Engineered APIs'],
'customer_advisories': 'Users advised to review privacy settings and limit '
'public profile data.',
'data_breach': {'data_encryption': 'End-to-end encryption for messages '
'remained intact; encryption keys for '
'accounts were exposed',
'data_exfiltration': 'Yes (researchers downloaded data for '
'analysis)',
'file_types_exposed': ['JPEG/PNG (profile pictures)',
'Text (status messages, business '
'info)'],
'number_of_records_exposed': '3.5 billion (phone numbers); 77 '
'million (US profile pictures)',
'personally_identifiable_information': 'Yes (phone numbers + '
'facial data)',
'sensitivity_of_data': 'High (PII + facial recognition risks)',
'type_of_data_compromised': ['Phone Numbers',
'Profile Pictures',
'Status Messages',
'Business Account Info',
'Device Details',
'Encryption Keys',
'Timestamps',
'Facial Recognition Data']},
'date_detected': '2024-12-01',
'date_publicly_disclosed': '2025-04-01',
'date_resolved': '2025-04-01',
'description': 'Security researchers from the University of Vienna uncovered '
'a critical vulnerability in WhatsApp’s contact discovery '
'mechanism, allowing them to enumerate phone numbers of 3.5 '
'billion users worldwide. The flaw stemmed from weak '
'rate-limiting protections, enabling researchers to probe over '
'100 million phone numbers per hour. Beyond phone numbers, the '
'vulnerability exposed public profile pictures, status '
'messages, business account information, device details, '
'encryption keys, and timestamps. Researchers successfully '
'downloaded 77 million public profile pictures from US '
'accounts, with 66% containing detectable human faces. The '
'data could enable facial recognition-based lookup services, '
'posing risks like spam, phishing, and surveillance—especially '
'in countries where WhatsApp is banned (e.g., 2.3M active '
'accounts in China, 1.6M in Myanmar, 59M in Iran). WhatsApp '
'implemented countermeasures after responsible disclosure, '
'including cardinality-based rate limiting and restricting '
'access to public profile data.',
'impact': {'brand_reputation_impact': 'Moderate (Privacy concerns raised, but '
'proactive mitigation by WhatsApp)',
'data_compromised': ['Phone Numbers (3.5 billion)',
'Public Profile Pictures (77 million from US '
'accounts)',
'Status Messages',
'Business Account Information',
'Device Details',
'Encryption Keys',
'Timestamps',
'Facial Recognition Data (66% of profile '
'pictures contained detectable faces)'],
'identity_theft_risk': 'High (Facial recognition + phone number '
'linkage)',
'operational_impact': 'High (Potential for spam, phishing, '
'robocalls, and surveillance risks)',
'systems_affected': ['WhatsApp Contact Discovery API',
'WhatsApp Android Clients (Key Reuse '
'Vulnerability)']},
'investigation_status': 'Completed (Vulnerability patched; research '
'published)',
'lessons_learned': ['Centralized messaging platforms face inherent privacy '
'risks when convenience features (e.g., contact '
'discovery) lack abuse protections at scale.',
'Weak rate limiting can enable mass enumeration attacks, '
'exposing billions of records.',
'Publicly accessible data (e.g., profile pictures) can '
'become high-risk when combined with other exposed '
'attributes (e.g., phone numbers).',
'Data breaches have long-term impacts; 50% of phone '
'numbers from a 2021 leak remained active on WhatsApp in '
'2025.',
'Facial recognition risks emerge when profile pictures '
'are linked to identifiers like phone numbers.'],
'motivation': 'Academic Research / Responsible Disclosure',
'post_incident_analysis': {'corrective_actions': ['Deployed probabilistic '
'rate limiting (e.g., Bloom '
'filters) to prevent '
'enumeration.',
'Restricted public access '
'to profile pictures/status '
'messages.',
'Removed timestamps from '
'profile picture queries to '
'limit metadata exposure.',
'Patched Android key reuse '
'vulnerability.',
'Enhanced API monitoring '
'for abusive queries.'],
'root_causes': ['Inadequate rate limiting in '
'contact discovery API',
'Over-permissive access to public '
'profile data (pictures, statuses, '
'timestamps)',
'Lack of cardinality-based '
'protections against bulk queries',
'Key reuse vulnerability in '
'Android clients']},
'recommendations': ['Implement stricter rate limiting with probabilistic data '
'structures (e.g., Bloom filters) to prevent enumeration '
'attacks.',
'Restrict default visibility of profile pictures/status '
"messages, even for 'public' settings.",
'Audit third-party API access and contact discovery '
'mechanisms for abuse potential.',
'Enhance user education on privacy settings and risks of '
'public profile data.',
'Monitor for secondary risks (e.g., phishing, spam) '
'stemming from exposed data.',
'Conduct regular red-team exercises to test for '
'large-scale data exposure vectors.'],
'references': [{'source': 'University of Vienna Security Research Team'},
{'source': 'WhatsApp Security Advisory (2025)'},
{'source': 'Comparison with 2021 Facebook Data Leak'}],
'response': {'communication_strategy': 'Public disclosure with mitigation '
'details; emphasized end-to-end '
'encryption remains intact',
'containment_measures': ['Cardinality-based rate limiting using '
'probabilistic data structures',
'Restricted access to profile pictures '
'and status messages (even if set to '
'public)',
'Removed timestamps from profile '
'picture queries'],
'enhanced_monitoring': 'Likely (implied by rate-limiting fixes)',
'incident_response_plan_activated': 'Yes (Collaboration with '
'researchers)',
'remediation_measures': ['Fixed key reuse vulnerability in '
'Android clients',
'Enhanced API protections against bulk '
'enumeration'],
'third_party_assistance': 'University of Vienna Security '
'Researchers'},
'stakeholder_advisories': 'WhatsApp notified users via blog post and in-app '
'notifications about privacy enhancements.',
'threat_actor': 'University of Vienna Security Researchers (Ethical '
'Disclosure)',
'title': 'Critical WhatsApp Vulnerability Exposes 3.5 Billion User Phone '
'Numbers and Profile Data',
'type': ['Privacy Violation', 'Data Exposure', 'Unintended Data Disclosure'],
'vulnerability_exploited': ['Contact Discovery Mechanism Flaw',
'Cardinality-Based Rate Limiting Bypass',
'Key Reuse Vulnerability (Android)']}