WhatsApp is known for its encrypted chats, but a recently discovered flaw revealed that even the most trusted apps can have weak spots. A massive security issue exposed the phone numbers and profile photos of over 3.5 billion people around the world. Although Meta says the flaw is fixed, the scale of exposure has raised serious concerns.
What Was the WhatsApp Flaw?
The main problem was in contact discovery feature. This system checks if a phone number belongs to a WhatsApp user. However, the app didn’t limit how many numbers someone could test, creating an opening for mass data scraping.
How Rate Limiting Failed
WhatsApp allowed unrestricted automated requests. This meant someone could test millions of phone numbers every hour without any block or warning, making it easy to collect user data on a global scale.
How Researchers Found the Issue
Researchers from the University of Vienna discovered the flaw when studying how much information WhatsApp reveals apart from encrypted chats.
A Simple Automation Exposed Billions
They created a script that fed billions of random phone numbers into WhatsApp Web. The system responded with whether the number existed on WhatsApp, exposing account details at massive speed.
Scale of the Data Exposure
The researchers were able to extract around 3.5 billion registered WhatsApp phone numbers. This covers almost every active user worldwide.
What Information Was Visible?
About 57% of accounts had publicly visible profile photos, and around 29% had a public status message, allowing easy collection of personal details.
Meta’s Official Response
Meta confirmed the flaw but described it as an overlooked design behavior, not a traditional bug. They also said only public information was exposed.
What About End-to-End Encryption?
Meta stressed that private messages were not affected. The flaw only exposed publicly accessible data such as numbers, photos, and status text.
Global Privacy Risks
The flaw allowed data collection even in countries where WhatsApp is banned, such as China, Iran, Myanmar, and North Korea. This puts users in those countries at risk.
Risks for Vulnerable Users
In some regions, having WhatsApp on your phone can be seen as a crime. The exposed data could have made it easier for authorities to target such individuals.
This Issue Has Existed Since 2017
Researchers warned WhatsApp about this exact problem back in 2017. Yet WhatsApp never added proper rate limits until now.
WhatsApp’s “Public Data” Explanation
WhatsApp has long argued that profile photos and status text are public by default. However, the scale of this exposure shows how dangerous this setting can be.
Public Data Breakdown by Country
In the United States, 44% of numbers exposed profile photos. In India, 62% of profiles showed photos, and in Brazil, the number was 61%.
Why Mass Scraping Was So Easy
Researchers used WhatsApp Web, which lacked strict protections. They were able to run nearly 100 million checks per hour without any interference.
Possible Misuse of This Data
Scammers could use this data to target billions of users with fraud, spam, and impersonation schemes.
Government Surveillance Concerns
Authorities in restricted countries could have used this flaw to identify and track users of banned apps. Millions were exposed without knowing it.
Duplicate Encryption Keys Issue
Researchers also found duplicate encryption keys in many accounts. Several accounts even used the exact same key, which should never happen.
Unauthorized App Clients Likely the Cause
The researchers believe these duplicate keys came from people using illegal or modified WhatsApp versions with broken encryption.
Phone Numbers Are Not Secure Identifiers
The core problem is that phone numbers aren’t secure IDs. They are predictable, easy to guess, and globally connected to individuals.
WhatsApp Likely Needs Username System
WhatsApp has started testing usernames in beta versions, which could help reduce reliance on phone numbers for identity.
How Meta Finally Patched the Flaw
Meta added rate limits and new scraping defenses, but it reportedly took them six months after the researchers’ report to fully fix the issue.
What Users Should Do Now
Users should update their privacy settings and set their profile photo, “about,” and last seen visibility to “My Contacts” to reduce exposure.
Conclusion
The WhatsApp flaw exposed how a simple design choice can lead to one of the largest potential data leaks in history. While Meta has fixed the issue, the event highlights the urgent need for more secure user identification systems and better privacy defaults. Users should take control of their settings and limit what they publicly share. This event also reminds everyone that no system is perfect, even those advertised as secure.
FAQs
1. Was my phone number exposed in the flaw?
If you use WhatsApp, your number was likely checked during the scraping.
2. Are my messages still safe?
Yes, end-to-end encryption protects private chats.
3. Can this exposed data be misused?
Yes, scammers can use your number for fraud or spam.
4. Has WhatsApp fixed the issue?
Meta says the flaw is fully patched with improved rate limits.
5. How can I protect my profile?
Change your privacy settings to “My Contacts” for profile photo, about, and last seen.
𝗦𝘁𝗮𝗿𝘁 𝗬𝗼𝘂𝗿 𝗙𝗿𝗲𝗲𝗹𝗮𝗻𝗰𝗲 𝗝𝗼𝘂𝗿𝗻𝗲𝘆 𝗳𝗼𝗿 𝗙𝗿𝗲𝗲 𝘄𝗶𝘁𝗵 𝗥𝗲𝗮𝗹𝗮𝗻𝗰𝗲𝗿 — join the waitlist now 👉 https://realancer.net/registration
Read more blogs: Alitech Blog
Zeeshan Ali Shah is a professional blog writer at AliTech Solutions, and Realancer renowned for crafting engaging and informative content. He holds a degree from the University of Sindh, where he honed his expertise in technology. With a keen eye for detail and a passion for staying up-to-date on the latest tech trends, Zeeshan’s writing provides valuable insights to his readers. His expertise in the tech industry makes him a sought-after writer, and his work at AliTech Solutions has earned him a reputation as a trusted and knowledgeable voice in the field.
Leave a Reply