Mass adoption of WhatsApp That’s part of how easy it is to find a new contact on the messaging platform: Add someone’s phone number, and WhatsApp immediately shows whether they’re on the service, and often their profile picture and name too.
Repeat the same trick a few billion times with every possible phone number, it turns out, and that same feature can also serve as a convenient way to get the cell number of almost every WhatsApp user on Earth — as well as, in many cases, the profile photo and text that identifies each of those users. The result is widespread exposure of personal information to a significant portion of the world population.
A group of Austrian researchers have now shown that they were able to use that simple method of checking every possible number in WhatsApp’s contact search to extract the phone numbers of 3.5 billion users from the messaging service. About 57 percent of those users also found that they could access their profile photo, and for another 29 percent, could access the text on their profile. Despite a previous warning about WhatsApp’s exposure to this data from a different researcher in 2017, they say, the service’s parent company, Meta, still failed to limit the speed or number of contact search requests by researchers interacting with WhatsApp’s browser-based app, allowing them to check nearly a hundred million numbers an hour.
The result would be “the largest data leak in history, had it not been collected as part of a responsibly conducted research study,” as the researchers described it in a paper documenting their findings.
“To the best of our knowledge, this is the most comprehensive exposure to phone numbers and related user data ever,” says Aljosha Judmayr, one of the researchers at the University of Vienna who worked on the study.
The researchers say they warned Meta about their findings in April and removed their copy of the 3.5 billion phone numbers. By October, the company had fixed the calculation problem by implementing a strict “rate-limiting” measure that prevents the large-scale contact tracing method used by researchers. But by then, the data exposure could have been exploited by someone else using the same scraping technique, says Max Günther, another researcher at the university who co-authored the paper. “If we could achieve it so easily, then others could too,” he says.
In a statement to WIRED, Meta thanked the researchers who reported their discovery through Meta’s “bug bounty” system, and described the exposed data as “basic publicly available information”, as profile photos and text were not displayed to users who chose to make it private. “We were already working on industry-leading anti-scraping systems, and this study was helpful in stress-testing and confirming the immediate efficacy of these new defenses,” writes Nitin Gupta, vice president of engineering at WhatsApp. Gupta says, “We found no evidence of malicious actors abusing this vector. As a reminder, WhatsApp’s default end-to-end encryption meant user messages remained private and secure, and no non-public data was accessible to researchers.”