Researchers at the University of Vienna uncovered a weakness in WhatsApp’s contact discovery process that let them confirm more than 3.5 billion active accounts across 245 countries. The team relied on the same basic mechanism that helps users find contacts through phone numbers. WhatsApp checks each number against its registry. The researchers found that the system allowed an unusually high volume of lookups from a single source, which opened the door to automated enumeration at a massive scale.
Their testing reached a pace of more than one hundred million number checks per hour. The data made available through these lookups matched what any person could access when already aware of a phone number. That limited set included numbers, public keys, timestamps and public profile details. Even so, the researchers linked these pieces to patterns that revealed operating systems, account ages and companion device counts. They also spotted rare cases where cryptographic keys appeared to be reused across devices or numbers. Those findings pointed toward unofficial clients or improper implementations.
The dataset captured a broader snapshot of global behavior. Millions of active accounts appeared in regions where WhatsApp is officially blocked, including China, Iran and Myanmar. Platform distribution leaned heavily toward Android with a global share near eighty percent. The remaining group used iOS. Privacy habits varied by country. Some regions showed heavier use of public profile photos or public status text, while others leaned toward a more locked down setup.
The study highlighted long term risks tied to older exposures. Nearly half of the numbers seen in the major Facebook scraping incident from 2018 remained active on WhatsApp in 2021. That persistence raised concerns about continued targeting through scams and other unwanted contact.
No message content was ever accessed, and the researchers deleted the collected data before publishing their work. End to end encryption protects chats, but the team stressed that metadata can still reveal patterns that matter. They noted that even limited signals can be combined to build a picture of a user’s activity window or device environment.
Meta received the disclosure and added stronger rate limits along with tighter controls around profile visibility. The company said it had already been developing stronger anti scraping systems and used this study to validate those defenses. Meta also said it found no signs that malicious actors used the technique at similar scale.
This event landed during a year in which Meta paid more than four million dollars to security researchers for valid bug reports across WhatsApp, Facebook, Instagram and its other platforms. The company processed about thirteen thousand submissions and accepted around eight hundred. Meta highlighted two issues in particular. One stemmed from the Vienna enumeration work. The other came from an internal analyst using a specialized proxy tool to examine WhatsApp’s network protocol. That review uncovered an incomplete validation problem in older client versions that could have triggered content retrieval from arbitrary URLs on a recipient’s device. Meta patched it before any harmful use surfaced.
The company also released a patch to address a separate high severity vulnerability, tracked as CVE 2025 59489, that affected Quest devices through Unity based applications. That flaw came from a different researcher and involved operating system level behavior rather than messaging.
Meta has started distributing the WhatsApp Research Proxy to select long term contributors who focus on protocol level issues. The goal is to support deeper analysis and lower the barrier for academic teams that want to study the platform. Meta said it plans to expand access later.
The enumeration study follows earlier work from the same research group. They previously examined how delivery receipts can be triggered in ways that reveal activity patterns, device switches and session counts. Their combined findings show how small fragments of metadata can be stitched together into meaningful profiles.
The researchers argue that constant scrutiny remains necessary as messaging systems change over time. Meta echoed the reminder that its platforms draw attention from attackers and researchers alike. The size of WhatsApp’s user base gives every flaw wider reach, which makes independent testing and clear disclosure important parts of the security ecosystem.
Notes: This post was edited/created using GenAI tools and reviewed by human editor. Image: DIW-Aigen
Read next:
• Meta Wins Key Ruling as Judge Rejects FTC Push to Break Up Instagram and WhatsApp
Their testing reached a pace of more than one hundred million number checks per hour. The data made available through these lookups matched what any person could access when already aware of a phone number. That limited set included numbers, public keys, timestamps and public profile details. Even so, the researchers linked these pieces to patterns that revealed operating systems, account ages and companion device counts. They also spotted rare cases where cryptographic keys appeared to be reused across devices or numbers. Those findings pointed toward unofficial clients or improper implementations.
The dataset captured a broader snapshot of global behavior. Millions of active accounts appeared in regions where WhatsApp is officially blocked, including China, Iran and Myanmar. Platform distribution leaned heavily toward Android with a global share near eighty percent. The remaining group used iOS. Privacy habits varied by country. Some regions showed heavier use of public profile photos or public status text, while others leaned toward a more locked down setup.
The study highlighted long term risks tied to older exposures. Nearly half of the numbers seen in the major Facebook scraping incident from 2018 remained active on WhatsApp in 2021. That persistence raised concerns about continued targeting through scams and other unwanted contact.
No message content was ever accessed, and the researchers deleted the collected data before publishing their work. End to end encryption protects chats, but the team stressed that metadata can still reveal patterns that matter. They noted that even limited signals can be combined to build a picture of a user’s activity window or device environment.
Meta received the disclosure and added stronger rate limits along with tighter controls around profile visibility. The company said it had already been developing stronger anti scraping systems and used this study to validate those defenses. Meta also said it found no signs that malicious actors used the technique at similar scale.
This event landed during a year in which Meta paid more than four million dollars to security researchers for valid bug reports across WhatsApp, Facebook, Instagram and its other platforms. The company processed about thirteen thousand submissions and accepted around eight hundred. Meta highlighted two issues in particular. One stemmed from the Vienna enumeration work. The other came from an internal analyst using a specialized proxy tool to examine WhatsApp’s network protocol. That review uncovered an incomplete validation problem in older client versions that could have triggered content retrieval from arbitrary URLs on a recipient’s device. Meta patched it before any harmful use surfaced.
The company also released a patch to address a separate high severity vulnerability, tracked as CVE 2025 59489, that affected Quest devices through Unity based applications. That flaw came from a different researcher and involved operating system level behavior rather than messaging.
Meta has started distributing the WhatsApp Research Proxy to select long term contributors who focus on protocol level issues. The goal is to support deeper analysis and lower the barrier for academic teams that want to study the platform. Meta said it plans to expand access later.
The enumeration study follows earlier work from the same research group. They previously examined how delivery receipts can be triggered in ways that reveal activity patterns, device switches and session counts. Their combined findings show how small fragments of metadata can be stitched together into meaningful profiles.
The researchers argue that constant scrutiny remains necessary as messaging systems change over time. Meta echoed the reminder that its platforms draw attention from attackers and researchers alike. The size of WhatsApp’s user base gives every flaw wider reach, which makes independent testing and clear disclosure important parts of the security ecosystem.
Notes: This post was edited/created using GenAI tools and reviewed by human editor. Image: DIW-Aigen
Read next:
• Meta Wins Key Ruling as Judge Rejects FTC Push to Break Up Instagram and WhatsApp
