WhatsApp’s popularity has always been fueled by its simplicity. Users only need a phone number to connect with anyone. But this convenience also created a major security gap. Until recently, every WhatsApp phone number could be accessed easily, even by hackers.
A team of Austrian researchers demonstrated just how exposed the platform was. They were able to gather phone numbers for all 3.5 billion WhatsApp users. For roughly 57% of these accounts, they could also view profile photos. Additionally, profile text was accessible for another 29% of users.
The method was surprisingly simple. The researchers did not exploit any complex vulnerabilities. They simply added phone numbers using WhatsApp Web, the browser interface. Each time a number was added, WhatsApp indicated whether the account existed and displayed its profile photo and text.
On a large scale, this approach became alarming. The team tested around 100 million numbers per hour earlier this year. This risk persisted despite Meta, WhatsApp’s parent company, being warned about a similar issue in 2017.
After being alerted in April, Meta finally took action by October. The company implemented rate-limiting, which prevents bulk contact discovery. However, the flaw remained unpatched for years, potentially leaving users exposed to misuse.
Meta emphasized that the data collected by the researchers was “basic publicly available information.” Private profile content remained secure, and the company reported no evidence of malicious exploitation. Non-public data was not accessed, the company added.
This highlights the delicate balance between usability and security in messaging apps. WhatsApp’s global reach means even small gaps can have massive implications, making ongoing vigilance essential.