 |
| WhatsApp census. |
SAN DIEGO – In a startling revelation that underscores the fragility of digital privacy, security researchers have demonstrated how a now-patched vulnerability in WhatsApp allowed for the unmasking of every active user on the platform—approximately 3.5 billion people worldwide.
The team, from the University of Vienna and SBA Research, exploited a weakness in WhatsApp’s contact discovery feature, the very system designed to safely check which contacts from a user’s address book also use the messenger. Their findings, which will be presented in detail at the upcoming Network and Distributed System Security (NDSS) Symposium in San Diego, paint a disturbing picture of mass data collection capabilities.
How a Simple Feature Became a Global Leak
The flaw was not in WhatsApp's much-touted end-to-end encryption, but in the API (application programming interface) that handles queries about phone number registration. According to the researchers, the interface lacked sufficient "rate limits," which are controls that prevent too many queries in a short time.
“This lack of throttling was critical,” the team noted. “In theory, it allowed us to query about 100 million phone numbers per hour. By systematically checking entire phone number ranges, we could build a complete picture of global WhatsApp usage.”
The researchers have published their methodology and findings in a detailed study available on GitHub, providing a rare, transparent look at a large-scale privacy exploit.
The result was an enormous database matching phone numbers to active WhatsApp accounts. For each number identified as registered, the API returned publicly available metadata. This included:
- Profile pictures
- Status updates (“about” text)
- “Last seen” online timestamps
- Technical details like the operating system used
A Snapshot of Global Messaging Habits
The harvested data provided a unique census of WhatsApp’s user base. The operating system distribution alone revealed Android’s dominance, with roughly 81% of users worldwide, compared to about 19% on iOS.
Perhaps more alarming were the longitudinal insights. By comparing their dataset with the massive Facebook data leak from 2021, the researchers found that 58% of the phone numbers leaked back then are still active on WhatsApp today. “This shows the lasting value—and risk—of such mass data. It doesn't just fade away; it becomes a persistent resource for anyone who possesses it,” one researcher commented.
The study also pierced through digital borders. Despite internet censorship and blocks, millions of active accounts were identified in restricted countries. The team found 2,333,519 accounts linked to Chinese phone numbers and even identified at least five active accounts in North Korea.
Meta’s Response and the Shadow of Unofficial Apps
Meta, WhatsApp’s parent company, was informed of the vulnerability and has since implemented strict rate limits. In a statement, the company acknowledged the fix and stated there is no evidence the flaw was exploited by malicious actors prior to the researchers' discovery. However, the team points out that a complete forensic review of past abuse is “technically almost impossible,” leaving the door open to the possibility of prior, undetected exploitation.
A deeper technical discovery within the research provides a glimpse into WhatsApp’s “shadowy” underbelly. The security architecture relies on each app installation generating a unique cryptographic key pair. The researchers, however, discovered clusters of phone numbers sharing the same public key—a scenario that should be impossible for official apps on physical devices.
This pattern strongly indicates the widespread use of unofficial, modified WhatsApp clients. “Such software is commonly used in ‘click farms’ or for running marketing bots,” the report explains. “Operators copy identical security identities across many accounts for efficiency, often with faulty implementation.” This practice not only helps identify fake accounts but also shows how unofficial apps can severely undermine the platform's overall security promises.
The Unsettling Takeaway
While the specific vulnerability is now closed, the episode serves as a powerful reminder of the latent risks in systems designed for scale. The line between a useful feature and a privacy-invasive tool can be razor-thin, often dependent on robust but easily overlooked technical safeguards.
The full academic paper, “Hey, You Are Using WhatsApp! A Census of WhatsApp Users and Their Characterization,” is available for review and will be a key topic at the NDSS symposium later this month, prompting further discussion on securing the fundamental building blocks of global communication.