A study from the University of Vienna shows that by leveraging WhatsApp’s contact discovery system, it was possible to automatically collect public data from more than 3.5 billion users, revealing the limitations of the phone number-based model.
A team of researchers from the University of Vienna has revealed a flaw in WhatsApp’s contact discovery system, allowing the automated enumeration and collection of more than 3.5 billion phone numbers, profile photos and public statuses. This operation, carried out via the application’s web interface, highlights the limits of privacy protection on platforms with several billion users.
The simplified registration procedure has its flaws
For years, WhatsApp has based its growth on a simplified registration procedure: a telephone number is enough to activate an account and automatically find your contacts. This model facilitates global adoption of the service, but opens the door to enumeration techniques. These involve serial testing of large ranges of numbers to determine which ones are associated with existing accounts.
Austrian researchers exploited the lack of strict limitations on WhatsApp Web to automate this process. Their system sent hundreds of millions of queries per hour, identifying 3.5 billion active users without bypassing security mechanisms. The interface provided certain public information by default, including profile photos and status texts configured for “public” visibility by users.
According to the study, 57% of identified accounts displayed a profile photo and 29% had visible status text. The proportions varied from country to country. In the United States, 44% of accounts had a public image, while in India and Brazil – two countries where WhatsApp is ubiquitous – the rates reached 62% and 61%, respectively. The researchers point out that these differences reflect the widespread use of the application in certain regions and less frequently changed privacy settings.
The study also highlighted the presence of millions of accounts in countries where WhatsApp is banned, such as China or Myanmar. In these areas, the installation of the application has already been associated with government controls and even arrests, increasing concerns about the possible exploitation of public data.
No intrusion into systems according to researchers
The researchers insist that their approach does not require any intrusion into the service’s systems: the flaw arises from the normal functioning of the contact discovery process and the absence, at the time, of effective limitation measures. Other platforms impose technical restrictions to prevent this type of massive scraping, but WhatsApp did not have comparable protections at the time.
Meta, owner of WhatsApp, says it strengthened its anti-scraping mechanisms after the report was disclosed. The company indicates that no messages were exposed, reminding that communications remain end-to-end encrypted. She also maintains that only “public” information could have been collected, in accordance with the parameters chosen by the users.
The authors of the study partly contest this version, emphasizing the absence of significant barriers during their experiment. According to them, while rate limits can reduce risks, they are not enough to prevent large-scale data collection when an application relies on the direct association between phone numbers and user accounts.
Meta is currently exploring the implementation of a username identification system, which could reduce reliance on phone numbers and limit the risk of enumeration. This development would mean a notable change in the way users create and share their identity on the platform.
