WhatsApp flaw allowed discovery of 3.5B registered numbers
🔍 Researchers from the University of Vienna and SBA Research found a flaw in WhatsApp's contact discovery that let them enumerate valid numbers globally, confirming about 3.5 billion registered accounts. By abusing the lookup mechanism they could probe numbers across 245 countries at rates exceeding 100 million checks per hour from a single IP. The technique also exposed public (non-private) keys, timestamps, profile photos and About text, enabling inference of device OS, account age and linked secondary devices, prompting Meta to add rate limits and tighter visibility rules.
