Researchers from the University of Vienna have uncovered a serious vulnerability in WhatsApp that enabled the mass collection of users' phone numbers through the contact search feature. By employing a simple brute-force method via the web version of the service, they managed to obtain over 3.5 billion records, effectively creating a database of phone numbers for the majority of the platform's users. This was reported by Wired.
In addition to the numbers, the researchers were able to download profile avatars for 57% of accounts and public profile text for 29%, as this information is visible to anyone who adds the number to their contacts. The team reported the issue to Meta in April 2025 and deleted the collected database. In October, the company implemented stricter rate limits on requests to close off the possibility of mass checks.
Meta stated that no signs of malicious use of this technique were found and that the reported information consisted of "basic public data." However, researchers emphasize that they did not bypass any security mechanisms; such mechanisms simply did not exist. Another researcher had described a similar vulnerability back in 2017, but it was never fixed.
The analysis also revealed a significant number of accounts with public information. For instance, among 137 million numbers from the USA, 44% had open photos. In India, where WhatsApp is most popular, this figure reached 62%.
Researchers believe that such large databases could be of interest to spam campaigns or governments in countries where WhatsApp is blocked. Among the data obtained, they found 2.3 million numbers from China and 1.6 million from Myanmar, which could pose risks to users in those countries.
The team also found repeating cryptographic keys in some accounts, which may indicate the use of unofficial WhatsApp clients, particularly by those engaging in fraud.
Researchers conclude that the main issue is the use of phone numbers as universal identifiers. They were not intended to be treated as private or unique keys, but in WhatsApp, they serve as the foundation for searching and verifying accounts. Meta is already testing a nickname system as an alternative.