If you use WhatsApp, you might be surprised to know that a group of Austrian researchers managed to extract the phone numbers of 3.5 billion WhatsApp users. Yours might be among them as well. Here's everything you need to know.
Honestly, anyone could've scraped every WhatsApp number out there
When you want to check whether a number is registered on WhatsApp, you simply search for that number on the platform. If the number is associated with a WhatsApp account, you'll see the profile picture and the name set for it. Security researchers at the University of Vienna in Austria used this same technique to extract the WhatsApp numbers of 3.5 billion users.
While searching for flaws in WhatsApp's end-to-end encryption system, Austrian researchers discovered that the platform lacks rate-limiting protection to prevent abuse of its feature that checks whether a number is registered on WhatsApp. Within just half an hour, they were able to extract 30 million WhatsApp numbers registered in the U.S. by exploiting this flaw. By the end of their research, they had collected the WhatsApp numbers of 3.5 billion users worldwide.
All they did was change the number sequence, and ta-da! WhatsApp revealed whether that number was registered on the platform. About 57% of these 3.5 billion WhatsApp users had their privacy settings configured to show their profile picture to everyone. As a result, the researchers were easily able to collect their profile photos as well. They could also view the profile text of 29% of these 3.5 billion WhatsApp users.
WhatsApp had been sitting on this flaw since 2017
A screenshot of the WhatsApp interface. | Image by PhoneArena
Interestingly, WhatsApp's parent company, Meta, was made aware of this flaw back in 2017 by another group of researchers. However, Meta didn't take any action on the matter at that time, and it remained possible to easily check whether a number was registered on WhatsApp or not.
In April this year, Austrian researchers submitted their findings to Meta on how big a security risk this flaw poses to WhatsApp. Bad actors could easily use the simple trick to extract photos and phone numbers of a large number of WhatsApp users. What are the chances they haven't already exploited this flaw to steal data?
Fortunately, in October this year, Meta finally enforced a stricter rate-limiting measure on WhatsApp, which will ensure that such mass-scale contact discovery is no longer possible on the platform. The security researchers have also securely deleted their database containing all the extracted phone numbers and related data.
WhatsApp competitors like Signal already come with rate-limiting protection. As a result, you won't be able to perform mass-scale contact discovery as WhatsApp used to allow.
Recommended Stories
Do you use WhatsApp to talk with your friends?
Yes - WhatsApp is my favorite messaging app.
85.71%
No - I use any other messaging app.
14.29%
I prefer calls over messaging.
0%
Another security negligence in Meta apps
This isn't the first time Meta's apps have found themselves in the news due to security flaws. In 2021, the database of 530 million Facebook users was publicly leaked online. Interestingly, even then, bad actors used a WhatsApp-like vulnerability to access the data. They exploited Facebook's feature that allowed users to search profiles by phone number to scrape the personal information of 530 million users.
No doubt, WhatsApp is great in many ways. It's free, supports end-to-end encryption, allows group video calls, and more. But after hearing about its security flaws and its habit of collecting data, I don't feel confident enough to use WhatsApp anymore. I've recently switched to Signal, and I'm loving it. It collects almost no data at all and offers many advanced privacy features, such as call relay, which hides your IP address during calls, and screen security, which prevents others from taking screenshots of your conversations.
Unlimited plans for $15/mo at Mint!
$180
$360
$180 off (50%)
Mint Mobile is also offering an incredible bargain for those seeking unlimited data! The carrier's latest deal lets you grab any unlimited plan for just $15/mo, bringing the 12-month Unlimited plan to $180 instead of $360.
A discussion is a place, where people can voice their opinion, no matter if it
is positive, neutral or negative. However, when posting, one must stay true to the topic, and not just share some
random thoughts, which are not directly related to the matter.
Things that are NOT allowed:
Off-topic talk - you must stick to the subject of discussion
Offensive, hate speech - if you want to say something, say it politely
Spam/Advertisements - these posts are deleted
Multiple accounts - one person can have only one account
Impersonations and offensive nicknames - these accounts get banned
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts:
New accounts created within the last 24 hours may experience restrictions on how frequently they can
post or comment.
These limits are in place as a precaution and will automatically lift.
Moderation is done by humans. We try to be as objective as possible and moderate with zero bias. If you think a
post should be moderated - please, report it.
Have a question about the rules or why you have been moderated/limited/banned? Please,
contact us.
![New T-Mobile CEO has everyone on the edge of their seats with new teaser [UPDATED]](https://m-cdn.phonearena.com/images/article/175840-wide-two_350/New-T-Mobile-CEO-has-everyone-on-the-edge-of-their-seats-with-new-teaser-UPDATED.webp)
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed:
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts: