A significant privacy issue in WhatsApp has come to light after researchers revealed that a long-standing flaw exposed the phone numbers and profile photos of nearly 3.5 billion users worldwide. The discovery was made by a team from the University of Vienna, who found that WhatsApp’s contact-discovery system lacked proper rate limiting, allowing automated tools to check millions of phone numbers per hour. Through this gap, researchers were able to confirm whether a number was registered on WhatsApp and retrieve publicly visible profile photos and status text from a large portion of accounts. They noted that the flaw existed for years and could have been used to build one of the largest user data collections in history.
The issue was tied to the mechanism responsible for verifying whether a phone number belonged to a WhatsApp account. Instead of restricting how many queries could be made, the system allowed unlimited checks without warnings. By using WhatsApp Web as an interface, the researchers managed to systematically test numbers across countries and extract an enormous dataset. Their results showed that for 57 per cent of accounts, profile photos were accessible, while 29 per cent revealed profile text. What raised further concern was that this technique worked even in regions where WhatsApp is banned, such as China, Iran, North Korea, and Myanmar, potentially endangering users who rely on the app discreetly.
Meta acknowledged the issue and described it as an overlooked design decision rather than a typical bug. Nitin Gupta, vice president of engineering at WhatsApp, stated that the study helped validate new anti-scraping systems and that no evidence suggested the flaw was abused by malicious actors. Meta emphasised that user messages remained secure due to end-to-end encryption and that only public information was exposed, including phone numbers and profile images. The company has since introduced rate limits to prevent unchecked queries and restrict large-scale data harvesting.
According to the research team, the weakness had been present since at least 2017, and Meta had been warned about similar risks previously. While the company has now implemented protections, the scale of data that could have been scraped raises concerns about digital privacy and surveillance. Researchers also deleted the data after completing their study and reported the flaw to Meta, which took around six months to issue a fix. The incident has renewed global discussions about the safety of instant messaging apps, the need for transparency in design decisions, and the importance of stronger safeguards to protect users’ personal information.
