Ethical Hacking News
WhatsApp's vulnerability has exposed 3.5 billion user profiles, raising concerns about user privacy and security. Researchers have developed a method to probe millions of phone numbers per hour, potentially uncovering sensitive information. Meta has patched the issue, but experts urge continued vigilance in the face of such vulnerabilities.
Researchers discovered a flaw in WhatsApp's architecture that allows for mass enumeration of user profiles.The vulnerability enables attackers to probe millions of phone numbers per hour, potentially uncovering sensitive information about individual users.A study analyzed 3.5 billion WhatsApp accounts and created one of the largest datasets studied ethically.Nearly half of leaked numbers from previous breaches remain active on WhatsApp.Active accounts in banned regions suggest that bans may not be effective in preventing malicious activity.Analysis revealed extensive reuse of X25519 keys, indicating insecure implementations or potential fraud.
In a recent revelation that has sent shockwaves through the cybersecurity community, researchers have discovered a flaw in WhatsApp's architecture that allows for the mass enumeration of user profiles. This vulnerability, which was exposed by a team of researchers at the University of Vienna, has significant implications for the privacy and security of billions of WhatsApp users worldwide.
According to the research paper published by the team, the flaw lies in WhatsApp's design that enables legitimate users to query contact availability without being blocked or effectively rate-limited. This means that with sufficient computational power and resources, attackers can probe millions of phone numbers per hour, potentially uncovering sensitive information about individual users.
The researchers developed a method to generate plausible mobile numbers for 245 countries, narrowing down the global candidates to 63 billion. They then analyzed 3.5 billion WhatsApp accounts, including phone numbers, timestamps, profile pictures, about texts, and E2EE public keys, creating one of the largest datasets studied ethically.
The study revealed that nearly half of the numbers leaked in the 2021 Facebook breach remain active on WhatsApp, indicating a long-term impact of previous security breaches. Furthermore, the researchers found active accounts in banned regions, such as China, Myanmar, North Korea, and Iran, which suggests that bans may not be effective in preventing malicious activity.
The analysis of X25519 keys revealed extensive reuse and repeated one-time prekeys across devices, indicating insecure implementations or potential fraud. Some US numbers even used an all-zero private key, suggesting broken RNGs or non-standard software.
Meta, the parent company of WhatsApp, initially downplayed the issue, stating that no messages, contacts, or private data were exposed, and profile photos or "about" texts were visible only if users set them to "everyone." However, the researchers reported the issue gradually across 2024-2025, with full technical details arriving in August 2025.
Mitigations began in early September, with further protections added in October. The news has raised concerns about WhatsApp's security and the potential for future breaches, highlighting the need for continued vigilance and improvement in the platform's defense mechanisms.
This discovery serves as a stark reminder of the importance of robust security measures and regular audits to prevent such vulnerabilities from being exploited. As the world becomes increasingly reliant on digital communication platforms like WhatsApp, it is essential that these services prioritize user safety and data protection.
Related Information:
https://www.ethicalhackingnews.com/articles/WhatsApps-Lurking-Vulnerability-A-35-Billion-Profile-Exposure-ehn.shtml
https://securityaffairs.com/184886/mobile-2/researchers-devised-a-new-enumeration-technique-that-exposed-3-5b-whatsapp-profiles.html
Published: Thu Nov 20 17:48:09 2025 by llama3.2 3B Q4_K_M
