WhatsApp Vulnerability: Mass Collection of User Phone Numbers
Researchers from the University of Vienna have identified a significant vulnerability in WhatsApp, enabling the mass collection of user phone numbers through the contact search mechanism. By simply iterating through numbers on the web version of the service, they managed to gather over 3.5 billion records, essentially creating a database of phone numbers for most of the platform's users. This was reported by Wired.
In addition to phone numbers, the researchers accessed profile avatars for 57% of accounts and public profile text for 29%, as WhatsApp displays this information to anyone who adds a number to contacts. The team reported the issue to Meta in April 2025 and deleted the collected database. In October, the company implemented stricter rate limits to prevent mass checks.
Meta stated that it found no evidence of malicious use of this technique, asserting that the reported information was "basic public data." However, researchers emphasize that they did not bypass any protective mechanisms—those mechanisms simply did not exist. Another researcher had noted a similar vulnerability back in 2017, but it was never resolved.
The analysis also revealed a significant number of accounts with public information. For instance, among 137 million numbers from the U.S., 44% had open photos. In India, where WhatsApp is most popular, this figure reached 62%.
Researchers believe that databases of this scale could be attractive to spam campaigns or governments in countries where WhatsApp is blocked. Among the gathered data, they found 2.3 million numbers from China and 1.6 million from Myanmar, which could pose risks for users in those countries.
The team also discovered repeated cryptographic keys in some accounts, which might indicate the use of unofficial WhatsApp clients, particularly by those involved in fraud.
Researchers conclude that the main issue is the use of phone numbers as universal identifiers. They were not designed as private or unique keys, but in WhatsApp, they serve as the foundation for account search and validation. Meta is already testing a nickname system as an alternative.
