A simple WhatsApp security flaw exposed 3.5 billion phone numbers

Mass adoption of WhatsApp It stems in part from how easy it is to find a new contact on the messaging platform: Add someone’s phone number, and WhatsApp will instantly show if they’re on the service, often showing their profile picture and name.

It seems to repeat the same trick a billion times with every possible phone number, and the same feature can also serve as a handy way to get the cell number of almost every WhatsApp user on earth — along with, in many cases, profile pictures and text identifying each of those users. The result is the widespread release of personal information for a significant portion of the world’s population.

A group of Austrian researchers have now shown that they were able to use the simple method of checking all possible numbers in WhatsApp call detection to extract the phone numbers of 3.5 billion users of the messaging service. For about 57 percent of these users, they also found that they could access their profile photos, and for another 29 percent, they could access the text on their profiles. The service’s parent company, Meta, has yet to limit the speed or number of contact discovery requests that researchers can make by interacting with WhatsApp’s browser-based app, which allows them to review nearly 100 million numbers per hour, they say, despite an earlier warning about the data being leaked by another researcher in 2017.

The result would be “the largest data leak in history, if not collected as part of a responsible research study,” as the researchers describe in a paper documenting their findings.

“As far as we know, this represents the most extensive disclosure of phone numbers and associated user data ever recorded,” said Aljosha Judmeier, one of the researchers at the University of Vienna who worked on the study.

The researchers say they alerted Meta to their findings in April and removed their copy of 3.5 billion phone numbers. By October, the company had fixed the counting problem by implementing a stricter “rate-limiting” measure that prevented the mass-scale call detection method researchers used. But until then, the data exposure could have been exploited by anyone else using the same scraping method, adds Max Guenther, another university researcher who wrote the paper. “If we could recover it easily, others could,” he says.

In a statement to WIRED, Meta thanked researchers who reported their discovery through Meta’s “bug” system and described the leaked data as “publicly available information” because profile photos and text were not exposed to users who chose to make it private. “We were already working on industry-leading anti-scratch systems, and this study was instrumental in stress testing and confirming the immediate effectiveness of these new defenses,” writes Nitin Gupta, VP of Engineering at WhatsApp. “We found no evidence of malicious actors exploiting this vector. As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was available to researchers,” adds Gupta.