Scientists discovered a major security vulnerability in WhatsApp

With more than three billion people opening WhatsApp each day, the app feels like a safe place to talk, share photos, and handle work on the move. Friends trust it. Families depend on it. Businesses run on it. But new academic research shows that the app quietly revealed far more about its users than most people ever expected.

A team of IT security researchers from the University of Vienna and SBA Research discovered that WhatsApp could be used to quietly confirm whether a phone number belonged to a real account, nearly anywhere on Earth. Over five months, from December 2024 through April 2025, they tested billions of possible phone numbers. By April, they had confirmed more than 3.5 billion active accounts across 245 countries. That figure is higher than the company’s own public count.

Messages stayed protected the entire time. End to end encryption held. The problem was not what people said to each other. The weakness lay in the simple fact of knowing who used WhatsApp and what could be learned from that alone.

WhatsApp offers a tool that checks which contacts in a phone’s address book are already on the app. It is meant to make connecting easy. The researchers used that same feature, but through an open source client rather than the official app. This gave them direct access to WhatsApp’s system.

They wrote a program called “libphonegen” to create realistic phone numbers from real numbering plans in 245 countries. That produced more than 63 billion possible numbers. They then asked WhatsApp one basic question about each number: Is this an account?

Using just one server and five registered accounts, they checked about 7,000 numbers per second. WhatsApp never completely shut them down. Their accounts stayed active. Their internet address was not blocked.

“Normally, a system shouldn’t respond to such a high number of requests in such a short time, particularly when originating from a single source,” said lead author Gabriel Gegenhuber of the University of Vienna. “This behavior exposed the underlying flaw, which allowed us to issue an effectively unlimited requests to the server and, in doing so, map user data worldwide.”

Once a number was confirmed, the system returned data that is public by design. That included the phone number, cryptographic public keys, the account’s creation time, and, if shared by the user, profile photos and “about” messages.

From that, the team could infer even more. They could tell what kind of phone a person used, how long their account existed, and whether it was linked to other devices such as laptops or tablets.

This led to the largest known snapshot of a global messaging network. India topped the list with more than 749 million users. Indonesia, Brazil, the United States, and Russia followed. Together, the top ten countries held most of the world’s accounts.

Android phones ruled the platform, making up 81 percent of users. iPhones accounted for the rest. Wealthier regions showed far heavier iPhone use.

More than half of all users had a profile photo. Nearly one in three wrote a short bio. About 9 percent labeled themselves as business accounts. Roughly the same number used at least one linked device.

The study found active users in countries where WhatsApp is officially blocked.

China had more than 2.3 million accounts. Myanmar showed 1.6 million. Iran already counted about 59 million users before a ban was lifted in December 2024. Within three months, that jumped to more than 67 million. Linked device use tripled.

North Korea, with its tight controls, showed only five accounts.

In places where online speech can bring punishment, even proof of account ownership can put lives at risk.

Millions of users also shared deeply personal details.

Some posted political opinions. Others included faith symbols, sexual identity, or street slang tied to drugs. Many listed email addresses, social media names, or business links.

Profile photos carried their own danger. The researchers downloaded 77 million images from accounts tied to U.S. numbers alone. Automated scans showed two thirds included clear human faces. Others revealed street scenes, homes, or workplaces.

This opens the door to building a reverse phone directory powered by faces. It also makes targeting easier for scammers, stalkers, or hostile governments.

Messages stayed protected. But the researchers noticed disturbing patterns in how some encryption keys were handled.

Each device should have a unique identifier. Instead, 2.3 million keys were reused across almost three million devices. One public key had an even deeper flaw. It belonged to 20 U.S. numbers, and its private key was all zeros.

That points to broken random number creation in some unofficial clients or possible fraud. In rare cases like this, bad actors could pretend to be someone else or secretly add their own devices to accounts.

To see how long phone data stays valuable, the team tested numbers from a massive Facebook scrape in 2018 that went public years later. Out of 488 million numbers, more than 280 million still worked on WhatsApp.

In some countries, nearly four in ten active numbers overlapped with the old leak. Once a number escapes into the wild, it may stay useful for criminals for years.

The researchers shared their findings with Meta, WhatsApp’s parent company, before publication. The company confirmed the issue has since been fixed.

“We are grateful to the University of Vienna researchers for their responsible partnership,” said Nitin Gupta, vice president of engineering at WhatsApp. “This collaboration successfully identified a novel enumeration technique that surpassed our intended limits. We had already been working on anti-scraping systems, and this study helped confirm their strength.”

The researchers deleted all data before publishing and did not share personal information. Their full findings will be presented in 2026 at the Network and Distributed System Security Symposium. A preprint is already public.

“These findings remind us that even mature, widely trusted systems can contain flaws with real world consequences,” Gegenhuber said. “Security and privacy are not one time victories. They must be constantly tested.”

Research findings are available online in the journal arXiv.

Like these kind of feel good stories? Get The Brighter Side of News' newsletter.