Security researchers have uncovered a critical vulnerability in WhatsApp that exposed the phone numbers of over 3.5 billion users worldwide. The flaw, discovered by a team from the University of Vienna and SBA Research, could allow cyber criminals to gather profile information and infer user identities, enabling highly targeted attacks.
The vulnerability lies in WhatsApp's contact discovery mechanism, which matches phone numbers from users' address books to the app's database. This feature, designed to show which contacts use WhatsApp, can be exploited by malicious actors to scrape phone numbers, profile photos, and 'About' statuses at scale.
“These findings remind us that even mature, widely trusted systems can contain design or implementation flaws that have real-world consequences,” said researcher Gabriel Gegenhuber. “Security and privacy are not one-time achievements, but must be continuously re-evaluated as technology evolves.”
Security experts have described the discovery as a “wake-up call” for platforms using phone numbers as user identifiers. Marijus Briedis, chief technology officer at NordVPN, noted: “This issue highlights a fundamental problem with WhatsApp’s architecture: the phone number itself is the vulnerability.” With access to phone numbers, profile photos, and statuses, criminals could build impersonation attacks, creating a “goldmine for scammers, criminals and well-resourced cyber groups.”
Meta, WhatsApp's parent company, has addressed and mitigated the issue, stating it found no evidence of malicious abuse. A spokesperson said: “We are grateful to the University of Vienna researchers for their responsible partnership under our Bug Bounty program. The researchers have securely deleted the data collected, and we have found no evidence of malicious actors abusing this vector.”



