WhatsApp Flaw Let Researchers Match Billions of Phone Numbers to Accounts; Issue Linked to Rate Limiting, Not Data ‘Leak’

WhatsApp is so deeply embedded in daily communication that it’s hard to picture life without it — from family chats and work coordination to running small businesses. But a new report has highlighted how one of the app’s core conveniences can also create large-scale privacy risks if abused.

Security researchers found that a flaw in WhatsApp’s rate-limiting protections allowed them to test billions of possible phone numbers to see which ones were registered on the platform. Earlier reports described this as a “breach” that “exposed” 3.5 billion phone numbers, but that framing is misleading.

Researchers did not access or download WhatsApp’s user database, nor did they “obtain” stored numbers. Instead, they generated possible number combinations and used WhatsApp’s existing “check if this number is on WhatsApp” function, a feature fundamental to all phone number-based messaging apps, to see which numbers returned a match.

Phone numbers themselves are not secret data; they form the basis of how WhatsApp, Signal, Telegram, Viber and similar services operate. The core issue identified by researchers was that WhatsApp allowed extremely high-volume, automated lookups without sufficiently strict limits.

According to earlier disclosures, the issue resurfaced during work conducted through WhatsApp’s Bug Bounty programme with researchers from the University of Vienna. Their study described a new enumeration approach that bypassed existing constraints and showed how large-scale matching of numbers could occur if rate limits were insufficient. WhatsApp has said that the findings helped test and validate anti-scraping defenses that were already in development.

The feature at the centre of this is one WhatsApp users are already familiar with: you enter a phone number, and the app instantly tells you whether the person is on WhatsApp — often showing the profile name and photo if the user has made them visible. It’s convenient when adding a new contact. But at scale, this lookup system can be abused to match massive numbers of accounts to their phone numbers.

Researchers demonstrated that by automating this process across billions of possible phone numbers, they could build a very large dataset of which numbers were registered on WhatsApp — along with any profile details users had chosen to make publicly visible.

They cautioned that if malicious actors attempted a similar high-volume lookup before stronger rate limits were implemented, it could have enabled wide-scale scraping of publicly visible user information.

The controversy intensified because prior researcher reports dating back to 2017 had warned that weak rate-limiting could allow large-scale enumeration. Critics argue that adding strict caps on number-checking attempts is a basic safeguard most services now enforce.

Meta has said that the latest research helped validate improvements to anti-scraping systems and rate-limiting measures, which have since been strengthened.

Read More: WhatsApp Will Soon Let Users Message People on Other Apps in Europe