Researchers discover security vulnerability in WhatsApp

Name	SBA Research Cookie
Provider	SBA Research
Purpose	Saves the settings of the visitors selected in the cookie box.
Cookie name	sba-research-cookie
Cookie runtime	1 year

Name	YouTube
Provider	YouTube
Purpose	Used to unblock YouTube content.
Privacy policy	https://policies.google.com/privacy
Host(s)	google.com
Cookie name	NID
Cookie runtime	6 months

Name	Vimeo
Provider	Vimeo
Purpose	Used to unblock Vimeo content.
Privacy policy	https://vimeo.com/privacy
Host(s)	player.vimeo.com
Cookie name	vuid
Cookie runtime	2 years

November 19, 2025

Global Collection of User Data Was Possible Through a – Now Resolved – Privacy Vulnerability.

Computer scientists from the University of Vienna and SBA Research have uncovered a significant privacy vulnerability in WhatsApp’s Contact Discovery mechanism. Exploiting this weakness, they were able to perform an unprecedented global enumeration of all WhatsApp accounts and identify 3.5 billion accounts worldwide. In collaboration with the researchers, WhatsApp has since fixed the issue.

The study highlights the importance of continuous, independent security research on widely used communication platforms and points to the risks associated with the centralization of instant messaging services. The preprint of the study has now been published, and the results will be presented at the Network and Distributed System Security (NDSS) Symposium 2026.

To find other WhatsApp users by phone number, WhatsApp’s Contact Discovery mechanism checks a user’s phone contacts. The Vienna researchers demonstrated how this mechanism could be abused to query more than 100 million phone numbers per hour, enabling them to confirm over 3.5 billion active accounts in 245 countries.

“Under normal circumstances, such a large number of requests from a single source or server should not be processed. That was the vulnerability: we were able to send virtually unlimited requests to the server and thus conduct a global enumeration,” explains lead author Gabriel Gegenhuber, researcher at SBA Research, and at the University of Vienna.

The collected publicly available data included phone numbers, public keys, timestamps, and – if set to public – profile photos and About texts. By analyzing these data points, the IT security specialists were further able to infer metadata such as the user’s device operating system, the age of the account, and the number of linked secondary devices (e.g., WhatsApp Web).

Additional Findings from Data Analysis

Millions of active WhatsApp accounts were identified in countries where the platform is officially banned, such as China, Iran, and Myanmar.
Insights into global WhatsApp usage patterns: worldwide Android (81%) vs. iOS (19%) distribution, regional differences in privacy behavior (e.g., use of public profile pictures or About texts), and variations in account activity and growth rates across countries.
In a few cases, cryptographic keys were reused across different devices or phone numbers, suggesting weaknesses in unofficial WhatsApp clients or fraudulent use.
Nearly half of the phone numbers leaked in the 2021 Facebook data breach (500 million phone numbers scraped in 2018) were still active on WhatsApp, illustrating the ongoing risk to compromised numbers (e.g., scam call targeting).

The study did not access message content, nor were any personal data published or shared. All retrieved data were deleted by the researchers before publication. WhatsApp messages remain end-to-end encrypted, and message content was never affected.

“This end-to-end encryption protects message content, but not necessarily the associated metadata,” explains senior author Aljosha Judmayer from the University of Vienna. “Our work shows that privacy risks can arise when such metadata are collected and analyzed at scale.”

“These results remind us that even mature and widely trusted systems can contain design or implementation flaws with real-world consequences,” says lead author Gabriel Gegenhuber. “They show that security and privacy are not one-time achievements but must be continuously reassessed as technology evolves.”

“Building on our earlier findings about delivery receipts and key management, we contribute to a long-term understanding of how messaging systems evolve and where new risks emerge,” adds co-author Maximilian Günther from the University of Vienna.

WhatsApp Statement

“We are grateful to the University of Vienna researchers for their responsible partnership and diligence under our Bug Bounty program. This collaboration successfully identified a novel enumeration technique that surpassed our intended limits, allowing the researchers to scrape basic publicly available information. We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defenses. Importantly, the researchers have securely deleted the data collected as part of the study, and we have found no evidence of malicious actors abusing this vector. As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers,” says Nitin Gupta, VP of Engineering at WhatsApp.

The research was conducted under strict ethical guidelines and according to principles of responsible disclosure. The vulnerability was promptly reported to Meta, the operator of WhatsApp, which has since implemented countermeasures such as rate-limiting and stricter visibility rules for profile information.

The authors emphasize that transparency, scientific scrutiny, and independent testing are crucial to maintaining trust in global communication services. They highlight that proactive collaboration between research and industry can significantly enhance user privacy and prevent misuse.

Research Context

This publication is the third study by the University of Vienna and SBA Research on the security and privacy of popular instant messengers such as WhatsApp and Signal. The researchers investigate how design and implementation choices in end-to-end encrypted messaging services may inadvertently expose user information or weaken security and privacy guarantees.

Earlier this year, the researchers published “Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers”, which won the Best Paper Award at RAID 2025. It demonstrated how silent pings and their delivery receipts can be abused to infer activity patterns and online behavior of users on WhatsApp and similar platforms.

Later in the year, they followed up with “Prekey Pogo: Investigating Security and Privacy Issues in WhatsApp’s Handshake Mechanism” (presented at USENIX WOOT 2025), an analysis of the cryptographic foundations of WhatsApp’s Prekey Distribution mechanism, revealing implementation weaknesses in the Signal-based protocol.

The current study, “Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy,” broadens this research to a global scale and shows how Contact Discovery mechanisms can inadvertently enable large-scale enumeration of users at previously unknown levels. It will appear in the proceedings of the NDSS Symposium 2026, one of the leading international conferences on computer and network security.

Original Publication

Gabriel K. Gegenhuber, Philipp É. Frenzel, Maximilian Günther, Johanna Ullrich & Aljosha Judmayer:
Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy.
In Network and Distributed System Security Symposium (NDSS), 2026

LINKS

Research Paper:

Preprint Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy.
Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers
Prekey Pogo: Investigating Security and Privacy Issues in WhatsApp’s Handshake Mechanism

Gabriel Gegenhuber
ERIS – SBA Research Group

Original Press Release

News