Researchers from the University of Vienna have revealed a major security issue in WhatsApp that exposed the phone numbers of around 3.5 billion users. They discovered that they could also access profile photos for more than half of the users affected, along with profile text for nearly one third. The team noted that this flaw had existed for years and said that WhatsApp and its parent company were first alerted to a similar concern in 2017 but did not act on it at the time.
The researchers warned that if harmful groups had collected the same data, it could have resulted in what they called “the largest data leak in history”, even surpassing the large scale scraping incident linked to another platform in 2021. They confirmed, “The dataset contains phone numbers, timestamps, about text, profile pictures and public keys for E2EE encryption and its release would entail adverse implications to the included users.” One of the researchers, Aljosha Judmayer, told a common publication, “To the best of our knowledge, this marks the most extensive exposure of phone numbers and related user data ever documented.”
The vulnerability was linked to WhatsApp’s contact discovery feature, which checks your address book to show who is on the platform. The team found that because there was no strict rate limiting, this feature could be used to scan massive ranges of phone numbers. Once a number was confirmed to be active on WhatsApp, the same gap allowed access to public information such as profile photos, about text, device details and connected devices. The team says they informed WhatsApp in April 2025, and although the company did not respond with urgency at first, it later worked with them to fix the issue by introducing stronger rate limiting by October.
Meta responded to the findings with a statement to a common technology publication. A spokesperson said, “We are grateful to the University of Vienna researchers for their responsible partnership and diligence under our Bug Bounty programme. This collaboration successfully identified a novel enumeration technique that surpassed our intended limits, allowing the researchers to scrape basic publicly available information.” The spokesperson added that the study helped confirm the strength of its new anti-scraping tools and that there was no evidence of malicious activity. They also noted that the researchers deleted the collected data and said, “As a reminder, user messages remained private and secure thanks to WhatsApp’s default end to end encryption, and no non-public data was accessible to the researchers.”
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
