A simple and common gesture in the daily life of those who own a phone, namely checking contacts What is itcan be exploited to obtain personal information and data on a global scale. Using an automatic contact discovery mechanism – a procedure the app uses to compare a user’s address book with numbers registered on the platform – a group of scientists managed to take over around 3.5 billion accounts in 245 countries, without breaching advanced security systems or bypassing end-to-end encryption.
HOLES IN THE NETWORK
The flaw was discovered by analysts from the University of Vienna and SBA Research who underscored how this cyber incident, if caused by malicious intent, “would be the largest data leak, in terms of users involved, in the history of computer security.” After identifying holes in the network, experts managed to download all available information, including phone numbers, profile data and user public keys. And thus they demonstrate the possibility of querying more than 100 million telephone numbers every hour through the platform infrastructure. During the research – conducted between September 2024 and April 2025 – the group has reported how the app “reveals information even though it is encrypted and how attackers can weaken the encryption itself”. To demonstrate this, five authenticated profiles and one university server are enough to build a dataset. “If we succeed in recovering this data so easily, others can do the same,” warns Max Günther, one of the study’s authors. Analysts broke down the data by saying they warned Meta in April, but the company only introduced new restrictions in October. According to Meta, in a statement released to Wired, those extrapolated are “basic public information” and those who have set privacy with stricter parameters do not run the risk of attacks. “We found no evidence that malicious parties exploited this vulnerability. There was no non-public data accessible to researchers,” assured Nitin Gupta, WhatsApp chief engineer. Already in 2017, Loran Kloeze had shown that WhatsApp does not limit the number of checks that can be carried out, allowing anyone to check numbers, get profile photos and information about last access through repeated attempts. «It’s scary now, isn’t it?», he alarms.
PHISHING
The researchers analyzed visibility data for each country: in the United States, 44% showed profile photos and 33% showed Info text; in India public photos reached 62%, in Brazil 61%. Active WhatsApp users can also be found in countries where the application is banned, such as China or Myanmar. In addition to billions of phone numbers, experts have estimated a huge amount of information from photos and statuses published by users. All sensitive data such as political opinions, religion, links to dating sites and even email addresses of public employees. The combination of phone numbers, profiles, and disclosed keys allows cybercriminals to track, manipulate, or extort money from users, with highly targeted phishing actions. “The findings of this study remind us that even mature and reliable systems can contain design or implementation flaws that have real-world consequences,” said author Gabriel Gegenhuber. “This shows that security and privacy need to continue to be re-evaluated as technology evolves.”
© ALL RIGHTS RESERVED
