Asger Risom
A sweeping investigation by Austrian academics has uncovered a WhatsApp vulnerability that allowed outsiders to determine whether billions of phone numbers were tied to active accounts.
A sweeping investigation by Austrian academics has uncovered a WhatsApp vulnerability that allowed outsiders to determine whether billions of phone numbers were tied to active accounts. The discovery, which WhatsApp has since moved to patch, also exposed additional metadata linked to users.
Researchers say the flaw showed how easily the platform’s contact-matching system could be repurposed for large-scale data collection.
How the flaw worked
The feature that lets new WhatsApp users see which contacts already have an account is built on the app’s automatic matching of phone numbers. According to researchers from the University of Vienna and the Vienna University of Technology, that same process can be redirected to probe the registration status of any number.
They warned that the mechanism “can be misused to check if a specific individual (such as a government official, ex-partner or employer) is registered on WhatsApp” by entering only the phone number.
WhatsApp has strengthened privacy protections in recent years, but the academics said the contact-matching system still lends itself to mass harvesting and could feed spam, phishing, or robocalling operations.
Testing at global scale
To assess the impact, the researchers generated vast pools of potential numbers across 245 countries and fed them into a WhatsApp API to test which accounts were active. Their method reached a probing rate of roughly 7,000 numbers per second per session.
They carried out the process from a single IP address and five WhatsApp accounts, and said the company did not block or detect the activity. In the end, they confirmed 3.5 billion active numbers — a total they noted “exceeds the ‘more than 2 billion people’ officially declared by WhatsApp.”
Using WhatsApp’s XMPP API, the team retrieved more publicly accessible account details, including encryption public keys, timestamps, profile photos, and business information.
What the data revealed
The volume of metadata allowed the group to form what they described as a census-level picture of WhatsApp use worldwide. They wrote that the information “provides insight into the interesting large-scale macroscopic observations that the instant messaging service is capable of obtaining, even without having access to the message content.”
According to their analysis, Europe accounts for roughly 18% of WhatsApp’s user base, with 64% of those users on Android and 36% on iOS. Asia emerged as the largest region at 47%, where Android usage reached 88%.
The findings showed how much could be inferred from non-message data alone, raising concerns about how similar techniques might be exploited outside academic research.
WhatsApp’s response
The researchers said they disclosed the flaw to WhatsApp and worked with the company on mitigations. According to their account, countermeasures began rolling out in early October, and the company accelerated other planned protections after the report.
The platform has not publicly disputed the researchers’ figures, which were summarized in the team’s technical documentation posted on GitHub.
The incident adds to ongoing scrutiny of how messaging platforms balance user discovery features with privacy safeguards, particularly when those mechanisms can be stretched far beyond their intended scale.
Sources: elEconomista.es
