WhatsApp Enumeration Flaw Exposes Billions of User Phone Numbers
Researchers have discovered that WhatsApp's phone number discovery feature allows for mass enumeration of user phone numbers, exposing the personal information of up to 3.5 billion users. By automating the process of checking which numbers are registered on WhatsApp, attackers can compile extensive lists of active users, potentially leading to privacy violations, targeted phishing, and other malicious activities. This vulnerability, which was first warned about eight years ago, remains unmitigated, raising significant concerns about the platform's approach to user data protection.
The issue has gained renewed attention after a team from the University of Vienna demonstrated the scale of the exposure, calling it "the most extensive exposure of phone numbers" ever seen. Security experts warn that the lack of effective rate limiting or other technical safeguards enables this enumeration attack, and the incident has been widely reported in security news outlets and discussed in industry podcasts. The exposure underscores the ongoing risks associated with user enumeration flaws in major messaging platforms and the need for stronger privacy controls.
Sources
Related Stories
WhatsApp Contact Discovery Flaw Exposes Billions of Phone Numbers
A group of Austrian researchers demonstrated that WhatsApp's contact discovery feature could be abused to enumerate and extract the phone numbers of 3.5 billion users globally. By automating the process of checking every possible phone number through WhatsApp’s browser-based app, the researchers were able to access not only phone numbers but also profile photos for 57% of users and profile text for 29%. This large-scale data exposure was possible because Meta, WhatsApp’s parent company, did not sufficiently limit the speed or volume of contact discovery requests, despite prior warnings about this vulnerability. In response to this and other security concerns, Meta has expanded its bug bounty initiatives, launching the WhatsApp Research Proxy tool to facilitate deeper research into WhatsApp’s network protocol and platform abuse. The company also reported adding new anti-scraping protections to WhatsApp after the enumeration technique was disclosed. Meta highlighted its ongoing investment in security, noting over $4 million in bug bounties paid out in the past year and the patching of several notable vulnerabilities, including CVE-2025-59489 affecting Quest devices.
3 months agoWhatsApp Vulnerabilities and Malware Targeting User Privacy and Security
A recently discovered vulnerability in WhatsApp allowed researchers to enumerate up to 3.5 billion active accounts by exploiting the app's contact syncing feature. This flaw, responsibly disclosed by researchers at the University of Vienna and subsequently patched by Meta, could have enabled malicious actors to build massive databases of phone numbers linked to WhatsApp, along with associated profile photos and "About" texts. While there is no evidence the vulnerability was exploited in the wild, the incident highlights the risks posed by convenience features and the critical importance of protecting phone numbers as sensitive personal data. In addition to this privacy risk, WhatsApp users are being targeted by a new Android malware that propagates itself through the platform. The malware automatically replies to incoming WhatsApp messages with malicious links, leveraging the trust users place in their contacts to spread further. This attack exploits the phenomenon of "context collapse," where users' social boundaries blur on messaging platforms, making them more susceptible to social engineering. These developments underscore the growing threat landscape facing WhatsApp users, combining both technical vulnerabilities and sophisticated social attacks.
3 months ago
Mobile Messaging Account Compromises and Spyware Threats
Security researchers and intelligence analysts have documented a series of incidents and trends highlighting the risks to mobile messaging accounts and devices. In December, a new form of WhatsApp account hijacking called GhostPairing was identified, where attackers trick users into linking an attacker-controlled browser to their WhatsApp device, potentially exposing sensitive information. Separately, researchers uncovered large-scale scraping of WhatsApp's contact discovery tool, resulting in the exposure of billions of phone numbers and associated profile data. Meanwhile, spyware threats targeting both iPhone and Android users have escalated, with zero-click attacks enabling adversaries to compromise devices and access encrypted messaging apps such as WhatsApp and Signal. Apple and Google responded by patching vulnerabilities believed to be exploited by commercial spyware like Predator, and the US CISA issued warnings about the active targeting of mobile messaging applications. In another high-profile case, the Iranian-linked Handala hacking group claimed to have fully compromised the mobile devices of two Israeli officials. However, forensic analysis revealed that only their Telegram accounts were breached, not the entire devices. The attackers likely used techniques such as SIM swapping, SS7 exploitation, and phishing to gain access, exposing gaps in session management and account security on encrypted messaging platforms. These incidents underscore the growing sophistication of attacks against mobile messaging services and the need for robust security measures, including privacy controls, passkey-encrypted backups, and vigilance against phishing and SIM-based attacks.
2 months ago