WhatsApp patch shuts down loophole that exposed data of 3.5 billion accounts

New Delhi: Researchers have discovered one significant privacy vulnerability in WhatsApp systems, which they have used to locate over 3.5 billion registered accounts using a loophole in the contact discovery API of the platform. Having checked at a speed of billions of phone numbers in 245 countries, the team was able to easily circumvent rate limits that were designed to limit the number of queries it could send per hour without failure and sent millions of queries per hour. The API of WhatsApp was fast and reliable, as it revealed phone numbers associated with active, inactive, recycled and abandoned accounts.

The researchers also found out that the loophole allowed the scrapping of publicly visible profile photos, texts and metadata of an enormous number of users. Two-thirds of accounts in certain regions had profile images visible, and this brings up the concern of how the information can be combined with facial recognition technology. Sensitive information like political interests, sexuality and work data or information that could be shared by contacts only was also available on a large scale.researchers also found

The University of Vienna and SBA Research team were able to make approximately 7,000 API requests per second with a single IP address and could not be rate-limited in any meaningful way. They discovered the existence of millions of accounts even in the countries where WhatsApp is prohibited, such as Iran, China, Myanmar and North Korea. They also found that 58 per cent of phone numbers which were compromised during the Facebook 2021 scraping were active WhatsApp accounts in the year 2025.

Researchers were able to read massive amounts of profile pictures and personal "about” descriptions in addition to account verification. Such information could usually be sensitive, such as sexual orientation, religious affiliation, political views and connection to private content sites. The research cautioned that the information may make it a reverse phone book whereby people can be recognised by face.

In early May, Meta started imposing tougher rates, capped off by the disclosure in April. The VP of WhatsApp, Nitin Gupta, claimed that the company is working on the industry-leading anti-scraping systems and that the scraped data was already present in other platforms. He noted that the content of the messages is secured by end-to-end encryption.

While it is not possible to draw back scraped data, the users can safeguard what they can see. It is advisable that sensitive information be avoided in WhatsApp profiles, visibility of profile pictures and 'about' texts should be limited to contacts only, and any information that the individual intends to make public but is identified by long-term identifiers such as phone numbers should be minimised, according to the experts.