This vulnerability allowed researchers to access approximately 3.5 billion accounts on the Meta-owned messaging app without compromising the content of encrypted messages. However, they were able to collect vast amounts of metadata, including phone numbers, geographic locations, device types, and account ages.
Experts from the University of Vienna and SBA Research explained that the vulnerability was in WhatsApp's built-in contact discovery mechanism, which normally allows the application to search for other users via their phone numbers.
The researchers discovered that there are no limits to the number of contacts that can be searched, enabling them to examine 100 million phone numbers every hour and access billions of user profiles.
Gabriel Gegenhuber, the lead researcher at the University of Vienna, said: "Normally, no system should respond to such a large number of requests in such a short time, and this behavior revealed the underlying flaw, allowing us to send virtually unlimited requests and link user data globally."
Researchers collected massive amounts of data from WhatsApp accounts in 245 countries. Meta stated that it "addressed and mitigated the issue," emphasizing that the researchers securely deleted the collected data and no evidence was found of it being exploited by malicious actors.
Nitin Gupta, WhatsApp's vice president of engineering, noted that the platform's end-to-end encryption was not compromised, and that the study helped test the effectiveness of systems to combat illegal data collection.
However, the researchers warned that the study highlights the risks of "centralizing" global messaging on a small number of applications, noting that metadata alone can reveal sensitive information about users, such as their operating system, the number of connected devices, and even precise locations in some countries.
The study showed that millions of active accounts are located in countries that officially ban WhatsApp, such as China and Myanmar.
