News: 0180123209

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

A Simple WhatsApp Security Flaw Exposed 3.5 Billion Phone Numbers (wired.com)

(Tuesday November 18, 2025 @11:45AM (msmash) from the how-about-that dept.)


Researchers at the University of Vienna [1]extracted phone numbers for 3.5 billion WhatsApp users by systematically checking every possible number through the messaging service's contact discovery feature. The technique yielded profile photos for 57% of those accounts and profile text for 29 percent. The researchers checked roughly 100 million numbers per hour using WhatsApp's browser-based app.

The team warned Meta in April and deleted their data. The company implemented stricter rate-limiting by October to prevent such mass enumeration. Meta called the exposed information "basic publicly available information" and said it found no evidence of malicious exploitation. The vulnerability had been identified before. In 2017, Dutch researcher Loran Kloeze published a blog post detailing the same enumeration technique. Meta responded then that WhatsApp's privacy settings were functioning as designed and denied him a bug bounty reward. The researchers collected 137 million U.S. phone numbers. In India, they found nearly 750 million numbers. They also discovered 2.3 million Chinese numbers and 1.6 million Myanmar numbers, despite WhatsApp being banned in both countries. The researchers analyzed the cryptographic keys and found some accounts used duplicate keys. They speculate this resulted from unauthorized WhatsApp clients rather than a platform flaw.



[1] https://www.wired.com/story/a-simple-whatsapp-security-flaw-exposed-billions-phone-numbers/


Assumption of Laziness (Score:4, Funny)

by TwistedGreen ( 80055 )

This is the case of security through "come on, nobody would ever waste their time doing that."

That said, remember phone books?

Re:Assumption of Laziness (Score:4, Insightful)

by fluffernutter ( 1411889 )

Phone books were always opt-out.

Re:Assumption of Laziness (Score:4, Informative)

by registrations_suck ( 1075251 )

For a FEE.

You had to pay a fee to have an unlisted number.

Re: (Score:2)

by fluffernutter ( 1411889 )

Only in capitalist hellholes.

Re: (Score:2)

by ddtmm ( 549094 )

I knew people who used madeup names so that they didn't have to pay to be unlisted. Your listing didn't have to go by your billing name.

Public data being public is now a security flaw? (Score:2)

by itsme1234 ( 199680 )

I mean probably Meta/Facebook/Whatsapp itself might not be happy if with themselves if they don't like people crawling and gathering this data, but it's not something that can easily be prevented. There are SIM farms that have 100k + 200k SIM cards, and that's only what law enforcement caught in one case in one place [1]https://www.cbsnews.com/news/f... [cbsnews.com] . Also, most people are directly concerned with people they know, and they should know better that if they put "I want to hurt my boss, XXX YYY" or a picture w

[1] https://www.cbsnews.com/news/feds-sim-cards-nj-after-disrupting-network-threatened-u-n-general-assembly/

Numbers but not names ? (Score:1)

by greytree ( 7124971 )

AFAICT (link is paywalled) they got numbers, sometimes photos, but not names ?

Meta ffs (Score:3)

by toxonix ( 1793960 )

Meta called the exposed information "basic publicly available information"

Uhm, what it's called by everyone else in the tech industry is "personally identifiable information" or PII.

And the security rules around PII is that it should not be exposed under any circumstances to anyone not authorized by the Person in question to view it.

Basically publicly available for fox snakes.

Re: (Score:1)

by TheStickBoy ( 246518 )

agree.

Also my cell phone number I use for WhatApps is not publicly available, not listed so how does that fit into their thinking?

Re: (Score:2)

by registrations_suck ( 1075251 )

But it is!

Anyone on the planet can dial your number and connect a call to you.

What may not be "publicly available" is the association of your name with your number, but the number itself can be dialed by anyone.

Re: (Score:1)

by TheStickBoy ( 246518 )

Oh, I would call that "publicly accessible" but I see your point.

Re: (Score:2)

by itsme1234 ( 199680 )

Huh? This is literally your public WhatsApp profile (if you want it public in the first place). It's like [1]https://www.facebook.com/Crist... [facebook.com] complaining OMG everyone can see the picture that I'm showing there and I set to be visible to everyone, and the name even if I didn't give it to anyone someone figured out ..../Cristiano/... is a likely page and got my picture !

[1] https://www.facebook.com/Cristiano/about

War dialing (Score:2)

by nycsubway ( 79012 )

Reminds me of war dialing, looking for modems to connect to a network.

Re: (Score:2)

by itsme1234 ( 199680 )

This reminds me of Home Alone voicemail, except worse, just setting the message to "We're the McCallisters and will be in Paris for the holidays" but for a modern experience doing it on Meta's platform and then of course complain it's someone else's fault for the info getting public.

Whatsapp is forbidden in some countries (Score:2)

by twms2h ( 473383 )

... so if the police of these countries gets their hand on this data they could sanction people with phone numbers from these countries.

So, this is not "just phone numbers and pictures" but could result in serious consequences for some people.

Also they found some drug dealers advertising their portfolio in their account description. This is a case where the police should actually try to "hack" Meta.

Hey, I had to let awk be better at *something*... :-)
-- Larry Wall in <1991Nov7.200504.25280@netlabs.com>1