New Delhi, Nov 20 A major vulnerability in WhatsApp left the personal details of nearly 3.5 billion users exposed, a research report from the University of Vienna has claimed.
The team of researchers uncovered a weakness in the platform’s contact discovery feature that allowed them to systematically check every possible phone number and identify active WhatsApp accounts on a massive scale.
Meta, the owner of the messaging service, was made aware of the problem and has taken steps to resolve the issue.
They generated over 100 million queries per hour using an automated method and ultimately gathered information on users from 245 countries.
Although the information retrieved was limited to data already visible to anyone having a phone number -- such as public keys, profile photos, "about" text, and timestamps -- the researchers said these fragments were enough to infer additional insights, including a user's operating system, how long they had been on the platform, and the number of linked devices.
But what makes the discovery even more troubling is that a similar warning had been issued eight years ago. In 2017, a security researcher had flagged the absence of limits on the number of phone number checks a user could perform-a gap that made large-scale scraping possible.
Despite this early warning, the vulnerability remained unpatched until the University of Vienna team showed just how easily it could be exploited.
They extracted 30 million U.S. phone numbers in the first half hour of testing and continued collecting data without resistance from the WhatsApp servers.
Meta, in a statement to 9to5Mac, said it appreciated the researchers' role in uncovering the vulnerability and credited the researchers for their role in identifying a novel enumeration technique that outsmarted its intended safeguards.
The company said it had already been working on advanced anti-scraping systems, and the study helped confirm the effectiveness of these new protections. Meta also confirmed the data had been securely deleted by the researchers and added that it did not find any evidence of malicious exploitation of the vulnerability.
Disclaimer: This post has been auto-published from an agency feed without any modifications to the text and has not been reviewed by an editor