A team of Austrian researchers has uncovered an exceptionally large vulnerability in WhatsApp, allowing attackers to harvest the phone numbers associated with all active accounts, approximately 3,5 billion profiles. The study, reported by WiredThe study shows that profile pictures and text could also be retrieved in some cases. The vulnerability relies on a very simple feature: the phone number search function. Since the application did not limit the number of allowed queries, it was enough to query the database as many times as necessary to retrieve matching accounts. The researchers explain that they collected thirty million American phone numbers in half an hour, and nearly fifty-four million for France. They emphasize that malicious actors could have exploited this lack of protection to build a global database, paving the way for massive phishing, identity theft, and harassment campaigns. According to them, the incident could have become "the biggest data breach in history" if the operation had been carried out by cybercriminals.
The team says it deleted all the collected data after notifying Meta
WhatsApp has confirmed that it has patched the vulnerability and strengthened its anti-scraping systems. The Vice President of Engineering stated that the detection and blocking tools have been immediately improved, thanks in part to the tests conducted as part of this study. The flaw highlights the need for messaging platforms to impose strict limits on automated requests. It also serves as a reminder to users of the importance of adjusting their privacy settings to restrict the visibility of their profile information to only approved contacts.
