Overview
- University of Vienna researchers enumerated roughly 3.5 billion WhatsApp-registered numbers by automating contact discovery and collected public profile photos for about 57% of accounts and public “about” text for about 29%.
- The team’s method hit about 7,000 queries per second — more than 100 million checks per hour — revealing ineffective rate-limiting on WhatsApp’s web interface during the study period.
- The researchers disclosed the issue to Meta in April and deleted the data, and by October WhatsApp deployed stricter rate limits that blocked the original technique in retests.
- Meta said end-to-end encrypted messages were not exposed and reported no evidence that attackers abused the enumeration vector.
- The study also noted repeated and anomalous public encryption keys and warned that phone-number–based identity enables large-scale scraping and potential targeting of users, including in countries where WhatsApp is banned.