Researchers pull 100M WhatsApp phone numbers in an hour
While many focus on messaging security, researchers have revealed how using one of WhatsApp’s features could lead to the collection of users’ metadata.
-
WhatsApp’s contact discovery can be abused for large-scale “phone number enumeration,” letting attackers probe the service with address-book numbers.
-
Researchers pulled over 100 million numbers per hour without effective rate limiting.
-
The scraped profile metadata (phone number, profile photo, “about,” etc.) can be used to find out other sensitive details about a user.
-
The method enables targeted checking of whether specific people use WhatsApp (e.g., ex-partners, employers, officials), creating privacy and safety risks.
-
Meta says it’s deploying anti-scraping systems, rate-limiting, and stricter profile visibility.
Researchers from the University of Vienna and SBA Research found a privacy-related weakness in the messaging and video calling app’s contact discovery mechanism.
To start a new conversation, WhatsApp users first need to find who from their contacts is also using the platform.
The app servers are then queried with mobile phone numbers taken from the user’s contact list. This framework enables what the research refers to as “phone number enumeration,” which allows signed-up users to inquire about the availability of contacts.
Using this framework, the researchers extracted more than 100 million phone numbers per hour “without encountering blocking or effective rate limiting,” demonstrating that while users' private messages are end-to-end encrypted, their personal data can still be extracted in other ways.
How can your phone number be used against you?
For users to discover other contacts, WhatsApp registers users and their associated phone numbers. When users sign up for the service, they can choose whether to grant WhatsApp permission to access their address book and upload it to the app’s servers.
After this step, the user is informed which of their contacts are registered on the app.
While the initial idea of the feature was to make it easier for users to find each other in the app and to boost its use, the feature could also be used for more sinister reasons: to check on an individual, which could be an ex-partner, employer, or government official, as the research suggests, to see if they’re registered on the app and what kind of information their profile includes.
Such information can reveal the user’s phone number, profile picture, about information, public keys, and timestamps.
While such information might not seem too revealing, the researchers used it to obtain even more data, which would lead to more discoveries about the user, such as their account age, the operating system they’re using, and the number of linked devices.
What else did the WhatsApp contact discovery vulnerability reveal?
The extracted data also showed that WhatsApp has been used by millions of people in countries such as China, Iran, and Myanmar, where the app is officially banned. Therefore, such information could have severe consequences for these users.
And it showed that almost half of the phone numbers that were leaked during the Facebook data leak in 2021 are still active on WhatsApp, making these numbers prone to receiving scam calls and similar.
The extracted information also revealed some insights into platform usage: for example, it has been shared that WhatsApp is used by 81% of Android users, while the remaining percentage is used by iOS devices.
Meta reacts to disclosed vulnerabilities
The study, which has a preprint available on GitHub, doesn’t include any personal data, with all accessed information being deleted before the research publication. It has also been emphasized that during the study, no end-to-end encrypted content was affected.
However, what’s important to understand is that while such information is secure, the metadata associated with a user’s profile lacks that same security.
The research findings were also shared with Meta, under which WhatsApp operates, with its head of Engineering, Nitin Gupta, stating that the company is already working on “anti-scraping systems” to address the issue, as reported by Tech Explore.
It has also been shared that Meta has implemented measures, such as rate-limiting and stricter profile information visibility, to address the disclosed vulnerability.
WhatsApp has provided Cybernews with additional commentary on the matter, with Gupta stating:
“We are grateful to the University of Vienna researchers for their responsible partnership and diligence under our Bug Bounty program. This collaboration successfully identified a novel enumeration technique that surpassed our intended limits, allowing the researchers to scrape basic publicly available information.”
He followed by stating that: “We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defenses.”
“Importantly, the researchers have securely deleted the data collected as part of the study, and we have found no evidence of malicious actors abusing this vector. As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers.”
Unlock more exclusive Cybernews content on YouTube.
