A serious security vulnerability has been uncovered in WhatsApp that could potentially affect all of the messaging platform's 3.5 billion users worldwide.
The Privacy Breach Mechanism
Security researchers from the University of Vienna and SBA Research discovered that the flaw lies within WhatsApp's contact discovery system. This feature, which asks users for permission to match mobile numbers in their address book against WhatsApp's central database, contains a critical weakness.
The vulnerability enables malicious actors to scrape phone numbers, profile photographs, and users' 'About' status information through what security experts describe as an enumeration mechanism. This means cyber criminals could systematically gather vast amounts of personal data from WhatsApp's user base.
Expert Warnings and Consequences
Marijus Briedis, chief technology officer at security firm NordVPN, explained the fundamental problem to The Independent: "This issue highlights a fundamental problem with WhatsApp's architecture: the phone number itself is the vulnerability."
He elaborated that because WhatsApp uses phone numbers as its core identity system, attackers were able to automatically test billions of numbers and retrieve profile details at remarkable speeds. With access to someone's phone number, profile photo and status, cyber criminals can construct highly-targeted impersonation attacks that appear more legitimate to potential victims.
Mr Briedis issued a stark warning about the scale of this security failure: "At scale, this becomes a goldmine for scammers, criminals and well-resourced cyber groups."
Industry Response and Ongoing Concerns
Researcher Gabriel Gegenhuber from the University of Vienna emphasised the broader implications of their findings: "These discoveries remind us that even mature, widely trusted systems can contain design or implementation flaws that have real-world consequences."
He added that "security and privacy are not one-time achievements, but must be continuously re-evaluated as technology evolves." The research team published their findings in a preprint paper titled 'Hey there! You are using WhatsApp: Enumerating three billion accounts for security and privacy'.
Meta, WhatsApp's parent company, has since addressed and mitigated the vulnerability, though it remains unclear whether hackers exploited the flaw before it was fixed. The Independent has contacted Meta for additional information about the security patch and any potential user impact.
This security revelation follows recent allegations from former WhatsApp security chief Attaullah Baig, who filed a lawsuit in September claiming that WhatsApp failed to address the hacking and takeover of more than 100,000 accounts daily during his tenure from 2021 to 2025.
