Researchers from the University of Vienna found a major flaw in WhatsApp’s contact-discovery feature that let them check tens of billions of phone numbers and extract about 3.5 billion registered user numbers, along with many users’ profile pictures and “about” texts. The weakness stemmed from minimal rate-limiting: they could probe roughly 100 million numbers per hour with no meaningful restriction. Although messages remained end-to-end encrypted, the exposure raised concerns because phone numbers alone can enable mass scraping of user identities and targeted attacks — especially since many users leave profile data publicly visible. The company behind WhatsApp, Meta Platforms, says it deployed stricter rate-limiting after being notified and that the scraped data was only publicly accessible profile info, but the researchers warn that the window of vulnerability was large and that the underlying design (using phone numbers as identifiers) remains problematic.
