Researchers claim 'largest leak ever' after uncovering WhatsApp enumeration flaw
- Reference: 1763558167
- News link: https://www.theregister.co.uk/2025/11/19/whatsapp_enumeration_flaw/
- Source link:
The messaging platform allows users to look up others' details by inputting their phone numbers. The feature, which has been part of the platform for years, can be abused to enumerate user data, including phone number, name, and in some cases their profile image if they have one set.
Using this feature, the researchers were able to gather user details at a rate of over 100 million accounts per hour by plugging in 63 billion phone numbers generated using a tool they built using the underlying tech of Google's [1]libphonenumber .
[2]
In typical settings, platforms would rely on rate limiting to prevent this kind of abuse, but WhatsApp still allowed enumeration on this scale without the researchers "encountering blocking or effective rate limiting."
[3]
[4]
The researchers [5]wrote [PDF]: "To our surprise, neither our IP address nor our accounts have been blocked by WhatsApp. Moreover, we did not experience any prohibitive rate-limiting. With our query rate of 7,000 phone numbers per second (and session), we could confirm 3.5 billion phone numbers registered on WhatsApp (exceeding the "more than 2 billion people" officially stated by WhatsApp)."
More than 57 percent of the active accounts they enumerated had a profile picture, two-thirds of which contained detectable human faces, which the researchers said could be used to build a reverse phonebook where a person's image reveals other details about them.
[6]
Around 29 percent had text in their profile that could also build a fuller picture of each user.
Reporters, researchers, and other interested parties can often look at the coverage of data breaches, see that only basic personal information is included, and conclude that the severity of these incidents, realistically, is fairly low, given that this is often in the public domain already.
However, the text included in profiles could, in some cases, reveal additional sensitive information about the user, such as their sexual orientation, political views, drug use and trafficking, links to other platforms such as LinkedIn and Tinder, and professional email addresses.
[7]
Regarding the latter, the researchers were able to link enumerated phone numbers to government and military officials too.
Furthermore, several countries ban WhatsApp. China, Myanmar, and North Korea are notable examples, while other countries like Iran and Senegal have previously instituted bans and later rescinded them.
However, millions of active WhatsApp accounts were associated with phone numbers registered in these countries, a revelation consistent with WhatsApp boss Will Cathcart's [8]previous admission .
Countries such as [9]China are known for persecuting people for breaking rules, such as circumventing bans on WhatsApp and other platforms. The [10]consequences can reportedly include detention and being sent to re-education camps.
Less critical, but still pertinent, is the potential for abuse by cybercriminals and troublemakers.
The researchers said: "Large-scale databases of registered phone numbers can be misused by attackers. Since a registered number typically indicates an active device, these lists are a reliable basis for spam, [11]phishing , or [12]robocall attacks."
They also said it raises the question of how long this information remains valid and therefore open to abuse.
Taking the data from the [13]great Facebook data scrape of 2021 – which saw the phone numbers, locations, email addresses, birthdays, and marital statuses of 533 million people's profiles collected – the research team found that half of the phone numbers were still active among the 3.5 billion records they collected from WhatsApp.
The Register asked Meta for more information, including whether it has implemented any additional protections after the researchers disclosed the potential for abuse via its bug bounty program.
[14]Samsung fixes Android 0-day that may have been used to spy on WhatsApp messages
[15]WhatsApp's former security boss claims reporting infosec failings led to ousting
[16]WhatsApp warns of 'attack against specific targeted users'
[17]Italy says Meta may be violating law with AI in WhatsApp
The tech giant did not address the efficacy or existence of additional security measures following the researchers' submission in its response, but said it was already working on anti-scraping systems.
Nitin Gupta, VP of engineering at WhatsApp, said: "We are grateful to the University of Vienna researchers for their responsible partnership and diligence under our Bug Bounty program. This collaboration successfully identified a novel enumeration technique that surpassed our intended limits, allowing the researchers to scrape basic publicly available information.
"We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defenses. Importantly, the researchers have securely deleted the data collected as part of the study, and we have found no evidence of malicious actors abusing this vector.
"As a reminder, user messages remained private and secure thanks to WhatsApp's default end-to-end encryption, and no non-public data was accessible to the researchers."
We also spoke to Gabriel Gegenhuber, a PhD candidate at the University of Vienna and researcher at SBA Research who co-authored the paper, and he confirmed that Meta's response was effective at preventing its methods.
He told us: "We supported Meta/WhatsApp with our knowledge in their remediation and retesting process.
"As part of that process, we have tried the exact same steps as for the original study, but were blocked swiftly. So we can confirm there are countermeasures in place now.
"This was, of course, not a detailed security audit of the entire WhatsApp infrastructure.
"As usual in security, the existence of security/privacy issues is easier to prove than their non-existence."
He also pointed to the disclosure timeline, as set out in the paper, and how it took Meta nearly a year to provide a meaningful response to the numerous tickets they raised throughout the research process.
Meta only requested a conference call to discuss the findings and asked the team members to delay publication after they supplied the company with a pre-print of their paper and notified them of their intention to publish.
"However, as soon as they realized the extent of the issue, they took it seriously and reacted promptly," said Gegenhuber. ®
Get our [18]Tech Resources
[1] https://github.com/google/libphonenumber
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aR33qb9sOQDDl8NpRHCXqAAAAIY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aR33qb9sOQDDl8NpRHCXqAAAAIY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aR33qb9sOQDDl8NpRHCXqAAAAIY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://github.com/sbaresearch/whatsapp-census/blob/main/Hey_there_You_are_using_WhatsApp.pdf
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aR33qb9sOQDDl8NpRHCXqAAAAIY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aR33qb9sOQDDl8NpRHCXqAAAAIY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.bbc.co.uk/news/articles/ckke9x0e50xo
[9] https://www.theregister.com/2024/04/19/whatsapp_threads_ban_china/
[10] https://www.businessinsider.com/china-uyghur-muslim-women-detained-precrimes-facebook-whatsapp-google-gmail-2021-10
[11] https://www.theregister.com/2025/10/16/ai_makes_phishing_45x_more_effective/
[12] https://www.theregister.com/2025/09/26/brits_warned_as_illegal_robocallers/
[13] https://www.theregister.com/2022/11/28/ireland_fines_meta/
[14] https://www.theregister.com/2025/09/12/samsung_fixes_android_0day/
[15] https://www.theregister.com/2025/09/08/whatsapp_exsecurity_head_sues_company/
[16] https://www.theregister.com/2025/09/01/infosec_in_brief/
[17] https://www.theregister.com/2025/07/30/italy_investigating_meta_for_forcing/
[18] https://whitepapers.theregister.com/
Re: University of Vain-a
Will we be getting university researchers going round estates trying 3D printed skeleton keys on peoples' doors at night next?
Every car that whizzes past outside is a 'potential harm', but I have not found myself under one yet.
We should be expecting more of uni researchers than this.
Re: University of Vain-a
to paraphrase the late Sith Lord Darth Vader:
Your lack of imagination is... disappointing.
Re: University of Vain-a
Did you look through the paper? https://github.com/sbaresearch/whatsapp-census
The researchers do analysis of public key reuse, reoccurance and collisions, by country and client dataset gathering from the scraping.
"It contains only one piece of advice for privacy-conscious WhatsApp users: they should reconsider their profile photo and info field."
And that the scraped data can act as a reverse phone-book. profile picture -> mobile number, email, employer, and info that unwitting accountholders might intend only for their contacts.
Meta in 2021 had their spokesperson say...
"Protecting the privacy and security of people's data is fundamental to how our business works," the Meta spokesperson said, adding that the company "cooperated fully" with Ireland's DPC.
"We made changes to our systems during the time in question, including removing the ability to scrape our features in this way using phone numbers," the spokesperson added. "Unauthorised data scraping is unacceptable and against our rules and we will continue working with our peers on this industry challenge."
But the paper lists that it required 8 or so attempts over the course of a year to ger Meta to pay attention and acknowledge findings.
Just because it's easier than bin diving does not mean it's not valuable to know.
"Approximately 30 percent of users have entered something in the “Info” field of their profile, and some reveal a lot: political views, sexual or religious orientation, confessions of drug abuse are found there, as are drug dealers who advertise their product range in this very field. Beyond that, the Vienna researchers found information about the user's workplace, up to hyperlinks to profiles on social networks, on Tinder or OnlyFans. Email addresses were of course included,"
https://www.heise.de/en/news/3-5-Billion-Accounts-Complete-WhatsApp-Directory-Retrieved-and-Evaluated-11083244.html
"The easy accessibility of the photos would therefore have allowed the compilation of a database that, through facial recognition, often leads to the phone number and vice versa. Even profile pictures without faces can be talkative: sometimes car license plates, street signs, or landmarks are depicted."
"The Vienna scientists have found that WhatsApp sometimes reuses keys if you log out of WhatsApp on a phone and then open a new WhatsApp account on the same device with a new phone number. This is a security flaw that Meta is now trying to address."
Also the measures that Whatsapp put in place to discourage future scraping are listed, so can be checked if they disappear in a few years due to inconvenience.
Re: University of Vain-a
That's an incredibly dumb comment.
Consider what you could do with 3 billion phone numbers and email address, 2 billion face images and a reverse image lookup. Want the private contact number for a government minister? Easy.
If you haven't the imagination to see how this could be useful, maybe just sit this conversation out.
Re: University of Vain-a
"behaving exactly as designed"
There's a basic assumption in there - that anything approaching design was even considered.
FacePlant
Owned by them, it's expected that they would eventually pwn you.
Wait, what?
" However, the text included in profiles could, in some cases, reveal additional sensitive information about the user "
The problem here is the lack of effective rate limiting or blocking (because a bot could scrape this just as easily).
The "sensitive information" part is a complete red herring. If people specifically put additional things on their profile, then it ought to come with the expectation that it will be seen. It's hardly a data leak then, is it?
Re: Wait, what?
Who realised this was public? I've just had a heart stopping moment. Fortunately, my details were a first name only and a profile picture of me aged about six. (No subsequent picture has ever looked as good.) No text. No links to other platforms. But it offers those options. I would only want those things shared with someone whom I've entered a reciprocal relationship.
Re: Wait, what?
Heh. There's a reason why I use throway accounts for sign-ins to things like El Reg, and, if I had any, which I don't, to ArseBook/What'sNonsense/other anti-social media. The account I used to sign up for El Reg has a nice pic, of a wolf, a very handsome wolf with lots of very big teeth. (I like wolves...) And all PII on that profile are deliberately inaccurate; I have several throw-away emails which I use for various sites, with different profiles, pix, PII, etc. I have a nice little SQL-based database on my iPad which I use to keep track of which profiles say what; the data can be exported to the DBMS on my desktop systems (not Access, Access doesn't run on Macs) and I can mess with it at will. (I have a LOT of throwaways.) My real pic is not even on my various Apple or (soon to die) MS accounts and will NEVER be anywhere near Google accounts if I can prevent it. (My 'personal' MS account has a pic of Commander Adama with Galactia in the background. Commander Adama has the proper attitude towards network security. So say we all.)
Re: Wait, what?
My profile pic is a picture (think one of their own options) of what appears to be a bear farting in a hot spring. Whilst in some respects authentic to me, the actual image is probably used by another million or so users; I'm not overly concerned at the leak.
Alarming although not surprising
Since Meta didn't notice this scrape happening, it's likely not the first such occurrence. We should expect this dataset to exist in the wild.
What I find worrying is that you could take a public image of someone (potentially from their FB page), use a little face matching tech and extract their phone number from your scraped data.
This would allow a variety of bad things ranging from abusive calls, fake number presentation (calling as that person), through to targeted delivery of malware to a handset.
This feels more serious the general perception. I would not be surprised if this is also potentially a massive breach of GDPR.
University of Vain-a
Calling this “the largest data leak in history” is like a researcher finding a phone book and screaming BREACH. They didn’t hack anything, they just asked WhatsApp “who’s this then?” a few billion times and WhatsApp, behaving exactly as designed, replied “here you go” like an overworked receptionist.
The only scandal is that anyone is pretending this behaviour isn’t fundamental to the product. Rate limits don’t fix the underlying absurdity: if you can type a number, you can query the person attached to it. That’s not a vulnerability, that’s the feature you all signed up for.
And the breathless academic tone doesn’t help. “We confirmed 3.5 billion numbers.” Yes, congratulations, you discovered that WhatsApp is popular and that humans use profile photos. Next week: groundbreaking research reveals water still wet, sky maintains blue streaks.
The real punchline is Meta acting grateful, as if they hadn’t been running a global identity directory for a decade and only just noticed someone looked at it too enthusiastically.
And honestly, if this is what passes for “research” at a modern university, God help us all. Enumerating phone numbers with a library someone else wrote is now worthy of papers, press rounds and responsible disclosure rituals. At this rate, the next PhD breakthrough will be “we discovered you can ring people by pressing the digits in the correct order.”