The WhatsApp Vulnerability Exposed
Between December 2024 and April 2025, a team from the University of Vienna identified 3.5 billion active phone numbers on WhatsApp, representing nearly its entire user base. Remarkably, this was achieved from a single server with minimal technical resistance.
The researchers processed over a hundred million numbers per hour, extracting not just the existence of accounts but also public keys, profile photos, status texts, and device metadata—all from the same university IP address using five accounts over four months. Alarmingly, Meta was oblivious to this breach until it was explicitly reported to them.
Significance of the Findings
This incident highlights a troubling vulnerability that has previously surfaced in 2012 and again in 2021. However, this is the first time it’s occurred at such a massive scale. The findings reveal a paradox in WhatsApp’s architecture:
- Your architecture must indicate whether a number is registered for contact discovery.
- This necessity conflicts with user privacy.
Knowing who utilizes WhatsApp, especially in countries where the app is banned like China, Burma, or North Korea, leads to severe implications. The researchers identified 2.3 million users in China, 1.6 million in Burma, and five in North Korea.
Technical Insight
The team developed a tool called ‘libphonegen’ to cut down the search space from billions of theoretical combinations to “just” 63 billion legitimate numbers across 245 countries. Using unofficial WhatsApp clients to interface directly with the XMPP API, they queried at an astonishing rate of 7,000 requests per second without facing any blocks or sanctions.
Meta remained unresponsive to these findings until March of this year, with countermeasures only arriving in October.
User Demographics and Patterns
The dataset produced was five times larger than the 2021 Facebook scraping scandal:
- India had the highest number of users, with 749 million accounts (21% of the total), followed by Indonesia and Brazil. Spain had 46.5 million accounts.
- 81% of the users operated on Android devices.
- More than half of the users had a public profile photo.
- 29% displayed their status text publicly.
Inferred Data Collection
The researchers could deduce operating systems by examining initialization patterns of the cryptographic keys, which is essential for determining user vulnerabilities. For example:
- Android starts certain identifiers at zero.
- iOS does so with random values.
Ethical Implications and Meta’s Response
They also discovered that public keys were reused across multiple accounts, complicating the security landscape. For instance, they identified 2.3 million different keys linked to 2.9 million devices. Such findings raise alarms about potential fraudulent activities, especially in regions like Burma and Nigeria.
Upon realization of this vulnerability, Meta implemented probabilistic cardinality counters to limit the number of unique accounts a user can query, while also restricting bulk access to status photos and texts. Subsequent tests showed these measures were effective; however, no countermeasures existed for accounts improperly exposed during the months when the breach was active.
Conclusion and Ongoing Concerns
Most concerningly, for four months, these researchers operated from a university server without concealing their identity, virtually pilfering the user base of the world’s leading messaging application without Meta’s knowledge until it was reported. If they could do this so easily, one must wonder—what other breaches have occurred unnoticed?
In Xataka | WhatsApp brings the big update of the season: the most important change is not on the mobile, but on the computer.
Featured image | Dimitri Karastelev