Full Report
By plugging tens of billions of phone numbers into WhatsApp’s contact discovery tool, researchers found “the most extensive exposure of phone numbers” ever—along with profile photos and more.
Analysis Summary
# Vulnerability: Mass Enumeration of WhatsApp User Data via Contact Discovery Tool
## CVE Details
- CVE ID: N/A (Described as a design/implementation flaw rather than a traditional CVE-tracked vulnerability requiring immediate patching against an exploit, though a prior related technique existed since 2017.)
- CVSS Score: N/A
- CWE: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)
## Affected Systems
- Products: WhatsApp (Browser-based application interface)
- Versions: Versions prior to the October 2025 fix (rate-limiting implementation).
- Configurations: Any configuration where the contact discovery feature interacted with the WhatsApp web interface, allowing mass requests.
## Vulnerability Description
The vulnerability resided in WhatsApp's contact discovery feature on its browser-based application. This feature typically checks if a phone number added to a user's contacts is registered on WhatsApp, revealing associated profile information (photo, profile text). Austrian researchers exploited this by systematically feeding billions of possible phone number combinations into this discovery mechanism without sufficient rate limiting. This allowed them to enumerate approximately 3.5 billion phone numbers associated with WhatsApp accounts, and for a significant percentage, harvest associated profile photos and profile text. This was achieved without bypassing message encryption or accessing private messages.
## Exploitation
- Status: Conducted by researchers, potential for exploitation by malicious actors was high prior to the fix.
- Complexity: Low (Described as "super easily" replicable using existing scraping techniques).
- Attack Vector: Network
## Impact
- Confidentiality: High (Exposure of billions of phone numbers, profile photos, and profile text).
- Integrity: Low (No direct modification capability described).
- Availability: Low (No impact on service availability).
## Remediation
### Patches
- **Rate Limiting Implementation:** Meta enacted stricter "rate-limiting" measures by October 2025 to prevent the mass-scale contact discovery method used by the researchers. Specific version numbers are not detailed in the article, but the fix addresses the underlying mechanism on the server side enforcing request thresholds.
### Workarounds
- Users relying on privacy settings (hiding profile photos/text from non-contacts) provided a layer of protection, but the phone numbers themselves were still exposed through this method unless Meta's server-side rate limiting was fully effective.
## Detection
- **Indicators of Compromise:** Excessive, high-volume sequential network requests targeting the contact discovery endpoint originating from a single source or automated system.
- **Detection methods and tools:** Monitoring server-side traffic logs for anomalous query rates to the contact lookup API, especially when targeting sequential number ranges.
## References
- Vendor Advisory (Implied Notification via Bug Bounty System, fix confirmed October 2025)
- Prior related warning by Loran Kloeze in 2017 (enumeration technique known).