19.11.2025 13:12:00
Дата публикации
Automation of number checks in WhatsApp allowed researchers from the University of Vienna to extract data on 3.5 billion users — a potential goldmine for attackers.
By sending queries through the web version, they could verify whether a number was registered. Around 100 million combinations were processed per hour, with no rate limits in place.
The vulnerability had existed for years: back in 2017 Dutch researcher Loran Kloese warned Meta about the same method, but the company dismissed it as non‑critical and refused a bug bounty reward.
The new study confirmed the issue and expanded its scope, collecting nearly all active WhatsApp numbers, including 2.3 million in China where the app is banned.
More than half of users had public avatars and photos visible, while 29% displayed open “about” text. In India and Brazil, over 60% of users leave profile pictures accessible.
Researchers stress this was not hacking but use of a standard feature. Meta acknowledged the problem, thanked the team, and emphasized that messages remained encrypted.
They also found duplicated cryptographic keys — a serious risk, as anyone sharing the same key could decrypt another user’s messages. This may stem from unofficial WhatsApp apps.
Experts highlight the systemic weakness: phone numbers are poor identifiers for a global service, vulnerable to brute force. WhatsApp is testing usernames to reduce reliance, but the main search method remains exposed.
As one author summarized: “Phone numbers were never meant to be secret identifiers. Using them this way for a third of humanity is a major architectural mistake.”
By sending queries through the web version, they could verify whether a number was registered. Around 100 million combinations were processed per hour, with no rate limits in place.
The vulnerability had existed for years: back in 2017 Dutch researcher Loran Kloese warned Meta about the same method, but the company dismissed it as non‑critical and refused a bug bounty reward.
The new study confirmed the issue and expanded its scope, collecting nearly all active WhatsApp numbers, including 2.3 million in China where the app is banned.
More than half of users had public avatars and photos visible, while 29% displayed open “about” text. In India and Brazil, over 60% of users leave profile pictures accessible.
Researchers stress this was not hacking but use of a standard feature. Meta acknowledged the problem, thanked the team, and emphasized that messages remained encrypted.
They also found duplicated cryptographic keys — a serious risk, as anyone sharing the same key could decrypt another user’s messages. This may stem from unofficial WhatsApp apps.
Experts highlight the systemic weakness: phone numbers are poor identifiers for a global service, vulnerable to brute force. WhatsApp is testing usernames to reduce reliance, but the main search method remains exposed.
As one author summarized: “Phone numbers were never meant to be secret identifiers. Using them this way for a third of humanity is a major architectural mistake.”
