Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
WhatsApp adoption is widespread It stems in part from how easy it is to find a new contact on the messaging platform: add someone’s phone number, and WhatsApp It instantly shows whether they’re subscribed to the service, and often also shows their profile picture and name.
Repeat this same trick a few billion times with every possible phone number, it turns out, and the same feature could also serve as a convenient way to get the cell phone number of almost every WhatsApp user on Earth — along with, in many cases, the profile pictures and text that identifies each of those users. The result is a sprawling exposure of personal information to a large portion of the world’s population.
A group of Austrian researchers have now shown that they were able to use this simple method to check every possible number in WhatsApp contact discovery to extract the phone numbers of 3.5 billion users of the messaging service. For about 57% of these users, they also found that they had access to their profile pictures, and for another 29%, to the text on their profiles. Despite a previous warning about WhatsApp exposing this data from another researcher in 2017, they say the service’s parent company, Meta, still failed to limit the speed or number of contact discovery requests researchers can make by interacting with the browser-based WhatsApp app, which allows them to verify nearly a hundred million numbers per hour.
The result would be “the largest data leak in history, had it not been collected as part of a responsibly conducted research study,” as the researchers described it in a paper documenting their findings.
“To our knowledge, this represents the largest exposure of phone numbers and related user data ever documented,” says Aljoscha Goodmayer, one of the researchers at the University of Vienna who worked on the study.
The researchers say they alerted Meta about their findings in April and deleted their copy of the 3.5 billion phone numbers. By October, the company had fixed the enumeration problem by enacting a stricter “rate-limiting” procedure that prevented the widespread contact detection method used by the researchers. But even then, the data exposure could also have been exploited by anyone else using the same extraction technique, adds Max Günther, another researcher from the university who co-wrote the paper. “If we could retrieve this information so easily, others could do the same too,” he says.
In a statement to WIRED, Meta thanked the researchers, who reported their discovery through Meta’s “bug bounty” system, and described the exposed data as “publicly available basic information,” as profile photos and texts were not revealed to users who chose to make them private. “We were already working on pioneering anti-scratch systems, and this study was useful in stress testing and confirming the immediate effectiveness of these new defenses,” wrote Nitin Gupta, vice president of engineering at WhatsApp. “We found no evidence of malicious actors abusing this carrier,” Gupta adds. “As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and researchers were not able to access any non-public data.”