WhatsApp Contact Discovery Flaw Exposes Billions of Phone Numbers
A group of Austrian researchers demonstrated that WhatsApp's contact discovery feature could be abused to enumerate and extract the phone numbers of 3.5 billion users globally. By automating the process of checking every possible phone number through WhatsApp’s browser-based app, the researchers were able to access not only phone numbers but also profile photos for 57% of users and profile text for 29%. This large-scale data exposure was possible because Meta, WhatsApp’s parent company, did not sufficiently limit the speed or volume of contact discovery requests, despite prior warnings about this vulnerability.
In response to this and other security concerns, Meta has expanded its bug bounty initiatives, launching the WhatsApp Research Proxy tool to facilitate deeper research into WhatsApp’s network protocol and platform abuse. The company also reported adding new anti-scraping protections to WhatsApp after the enumeration technique was disclosed. Meta highlighted its ongoing investment in security, noting over $4 million in bug bounties paid out in the past year and the patching of several notable vulnerabilities, including CVE-2025-59489 affecting Quest devices.
Timeline
Nov 18, 2025
Researchers publicly disclose exposure of 3.5 billion WhatsApp numbers
Public reporting and research disclosures described the enumeration flaw as exposing the phone numbers of roughly 3.5 billion WhatsApp users across 245 countries, with some outlets calling it one of the largest data exposure events ever observed. Multiple later articles repeated this same core disclosure.
Nov 18, 2025
Meta launches WhatsApp Research Proxy and expands bounty efforts
Meta announced a new WhatsApp Research Proxy tool for select long-time bug bounty researchers to support deeper protocol analysis, alongside a pilot program focused on platform abuse research. The company said it has paid more than $4 million in bug bounties this year and over $25 million across 15 years.
Nov 18, 2025
Meta adds anti-scraping protections to WhatsApp
In response to the researchers' findings, Meta said it implemented anti-scraping protections to mitigate large-scale account enumeration and abuse of WhatsApp's contact discovery features. Meta also said it found no evidence that the enumeration vector had been maliciously exploited.
Nov 18, 2025
Researchers identify WhatsApp account enumeration flaw
A University of Vienna research team discovered a WhatsApp contact-discovery enumeration technique that could bypass rate limits and determine whether phone numbers were registered on the platform at massive scale. The issue also enabled collection of associated profile metadata for exposed accounts.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
5 more from sources like register security, cso online, techrepublic com security, wired com security and univie.ac.at
Related Stories
WhatsApp Enumeration Flaw Exposes Billions of User Phone Numbers
Researchers have discovered that WhatsApp's phone number discovery feature allows for mass enumeration of user phone numbers, exposing the personal information of up to 3.5 billion users. By automating the process of checking which numbers are registered on WhatsApp, attackers can compile extensive lists of active users, potentially leading to privacy violations, targeted phishing, and other malicious activities. This vulnerability, which was first warned about eight years ago, remains unmitigated, raising significant concerns about the platform's approach to user data protection. The issue has gained renewed attention after a team from the University of Vienna demonstrated the scale of the exposure, calling it "the most extensive exposure of phone numbers" ever seen. Security experts warn that the lack of effective rate limiting or other technical safeguards enables this enumeration attack, and the incident has been widely reported in security news outlets and discussed in industry podcasts. The exposure underscores the ongoing risks associated with user enumeration flaws in major messaging platforms and the need for stronger privacy controls.
1 months ago
WhatsApp Vulnerabilities and Malware Targeting User Privacy and Security
A recently discovered vulnerability in WhatsApp allowed researchers to enumerate up to 3.5 billion active accounts by exploiting the app's contact syncing feature. This flaw, responsibly disclosed by researchers at the University of Vienna and subsequently patched by Meta, could have enabled malicious actors to build massive databases of phone numbers linked to WhatsApp, along with associated profile photos and "About" texts. While there is no evidence the vulnerability was exploited in the wild, the incident highlights the risks posed by convenience features and the critical importance of protecting phone numbers as sensitive personal data. In addition to this privacy risk, WhatsApp users are being targeted by a new Android malware that propagates itself through the platform. The malware automatically replies to incoming WhatsApp messages with malicious links, leveraging the trust users place in their contacts to spread further. This attack exploits the phenomenon of "context collapse," where users' social boundaries blur on messaging platforms, making them more susceptible to social engineering. These developments underscore the growing threat landscape facing WhatsApp users, combining both technical vulnerabilities and sophisticated social attacks.
1 months ago
Meta Patches WhatsApp Flaws Enabling Malicious URL Handling and Windows File Spoofing
Meta disclosed and patched two WhatsApp vulnerabilities affecting **iOS, Android, and Windows**, including `CVE-2026-23866`, which allowed attackers to abuse Instagram Reels integration and incomplete validation of AI-rich response messages to make victim devices process media from attacker-controlled URLs. The flaw could potentially trigger OS-level custom URL scheme handlers without user consent, creating opportunities for phishing, tracking, malware delivery, and other social-engineering attacks through seemingly legitimate WhatsApp content. Meta also fixed `CVE-2026-23863`, a WhatsApp for Windows filename spoofing issue caused by embedded NUL bytes that could make executable files appear to be benign documents and require only a single user click to exploit. The company said both bugs were reported through its bug bounty program and that it had **no evidence of active exploitation** at disclosure, while urging users to update WhatsApp from official sources and advising organizations to verify Windows clients are patched and include messaging apps in enterprise attack-surface management.
Today