WhatsApp Flaw Exposes 3.5 Billion User Profiles Through Massive Number Verification Loophole
A newly documented vulnerability in WhatsApp has revealed that profile data of up to three and a half billion users could be collected without breaching any system. Researchers at the University of Vienna demonstrated that the web version of WhatsApp accepted unlimited verification requests, allowing automated tools to check phone numbers at scale and extract profile information.How the Vulnerability Was Exploited
Instead of attacking WhatsApp servers or bypassing encryption, the researchers used a simple program to send millions of number lookup requests. The web client responded with confirmation of whether the number was registered, and in many cases provided additional metadata such as profile photos and status messages.By systematically scanning global number ranges, the team assembled a database containing billions of confirmed WhatsApp accounts. This process required no special permissions and did not trigger defensive measures from Meta until the findings were disclosed.
Scale of Exposure
According to the researchers, approximately half of the exposed profiles included publicly visible avatars. In some regions, up to two thirds of users unknowingly shared personal images, names, and statuses. Countries with sensitive political environments, including China and Myanmar, were of particular concern. In those regions, the simple fact of having a WhatsApp account can carry personal risk, making the exposure far more dangerous than a typical privacy breach.Meta’s Response
Meta acknowledged the issue after the report was published and introduced new rate limits to prevent automated mass queries. The company stressed that only publicly visible profile information was accessible and that message content remains protected by end-to-end encryption. However, researchers argue that the scale of the leak dramatically magnifies the seriousness of the incident, even if the compromised data was technically public.A Reminder of the Limits of Public Metadata
The case highlights a recurring problem in modern messaging platforms: even when conversations are secure, peripheral metadata can expose users in ways encryption cannot solve. For high-risk communities, public profile elements can reveal identity, social connections, or political affiliations.A Structural Privacy Lesson
The vulnerability illustrates how large centralized systems can unintentionally create global datasets accessible to anyone with basic coding skills. Although Meta has begun patching the issue, the existence of a complete snapshot of WhatsApp’s user base raises long-term concerns about the reuse or resale of such data in the future.Editorial Team — CoinBotLab