Researchers from the University of Vienna and SBA Research identified a privacy vulnerability in WhatsApp’s contact discovery mechanism that enabled enumeration of more than 3.5 billion active accounts worldwide. Meta addressed the weakness following responsible disclosure. The findings were published in a preprint and will be presented at the NDSS Symposium in 2026. “Normally, a system should not respond to such a high number of requests in such a short time, particularly when originating from a single source,” says Gabriel Gegenhuber, Researcher, University of Vienna. “This behavior exposed the underlying flaw, which allowed us to issue an effectively unlimited number of requests to the server and, in doing so, map user data worldwide.” The discovery originated from an ongoing research effort by the University of Vienna and SBA Research to analyze how design choices in end-to-end encrypted messaging platforms can expose user metadata. WhatsApp uses a contact discovery process that matches the phone numbers in a user’s address book with its database. The same mechanism, when queried at scale, enabled the confirmation of more than 3.5 billion active accounts across 124 countries. This investigation builds on previous studies from the same institutions. These projects examined privacy risks related to silent
Read More
WhatsApp Flaw Exposed Over 3.5 Billion Accounts Worldwide – Mexico Business News

WhatsApp Flaw Exposed Over 3.5 Billion Accounts Worldwide – Mexico Business News