Researchers Expose WhatsApp API Flaw That Allowed Scraping of 3.5 Billion Phone Numbers
WASHINGTON — Researchers from the University of Vienna and SBA Research uncovered a significant vulnerability in WhatsApp’s application programming interface (API) that allowed them to scrape 3.5 billion phone numbers, officials said. The flaw was found in WhatsApp’s GetDeviceList API, which is used to verify if a phone number is registered on the platform and to identify linked devices.
According to the researchers, the API lacked meaningful rate limiting, meaning it did not slow down or block repeated requests. This absence of restrictions enabled the team to query WhatsApp’s servers at a rate exceeding 100 million phone numbers per hour without being blocked. By generating a global pool of 63 billion possible mobile numbers and running them through the API, they confirmed the existence of 3.5 billion active WhatsApp accounts.
The researchers went beyond simply confirming account existence. They exploited additional WhatsApp endpoints such as GetUserInfo, GetPrekeys, and FetchPicture to collect further data, including profile photos, “about” text, device information, and public encryption keys. In a test conducted in the United States, they downloaded 77 million profile photos without encountering any limits, many of which contained clear images of individuals’ faces. Public “about” sections often included personal information or links to other profiles.
The study also compared the data with a 2021 Facebook number scrape and found that 58% of those leaked Facebook numbers remained active on WhatsApp years later, highlighting the long-term risks associated with phone number leaks.
The researchers have not released the scraped data publicly but reported the vulnerability to WhatsApp. In response, WhatsApp has implemented rate-limiting protections to prevent similar exploitation in the future. The findings underscore how easily threat actors could have exploited the API flaw to collect massive amounts of user data.
This incident adds WhatsApp to a growing list of major platforms that have faced large-scale data leaks linked to weak or unprotected APIs, a pattern where features designed to improve user experience become avenues for bulk data collection, officials said.
Leave a Reply