Major WhatsApp Security Flaw Uncovered by Scientists

WhatsApp has become an essential part of daily life for over three billion people around the world. It's a platform where friends, families, and businesses connect, share photos, and even conduct work on the go. The app is known for its end-to-end encryption, which ensures that messages remain private. However, new research from the University of Vienna and SBA Research reveals a concerning vulnerability in the app that could expose user data in unexpected ways.

Understanding the Vulnerability

The researchers discovered that WhatsApp can be used to determine if a phone number is associated with an active account, regardless of where it is located. Over a five-month period, they tested billions of potential phone numbers across 245 countries. By April 2025, they had confirmed more than 3.5 billion active accounts—more than what the company publicly reports.

While the encryption of messages remained intact, the issue lay in the ability to identify who was using WhatsApp. This information alone could reveal significant details about users without any need to access their actual conversations.

How the Researchers Uncovered Billions of Users

WhatsApp includes a feature that allows users to check which contacts in their phone’s address book are already on the app. This feature is designed to make it easier for users to connect with others. However, the researchers utilized this same functionality through an open-source client instead of the official app, granting them direct access to WhatsApp's system.

They developed a program called "libphonegen" to generate realistic phone numbers based on real numbering plans in 245 countries. This process created over 63 billion possible numbers. They then asked WhatsApp whether each number was associated with an active account.

Using just one server and five registered accounts, they were able to check approximately 7,000 numbers per second. Despite the high volume of requests, WhatsApp did not block their activity, allowing them to continue their tests undeterred.

Lead author Gabriel Gegenhuber from the University of Vienna noted, “Normally, a system shouldn’t respond to such a high number of requests in such a short time, particularly when originating from a single source.” This behavior exposed a flaw that allowed the team to issue an effectively unlimited number of requests to the server, mapping user data globally.

What Public Data Reveals

Once a number was confirmed as active, WhatsApp returned data that is public by design. This included the phone number, cryptographic public keys, the account’s creation time, and, if shared by the user, profile photos and "about" messages.

From this data, the researchers could infer additional information, such as the type of phone a person used, how long their account had been active, and whether it was linked to other devices like laptops or tablets.

This led to the largest known snapshot of a global messaging network. India topped the list with over 749 million users, followed by Indonesia, Brazil, the United States, and Russia. Together, the top ten countries accounted for most of the world’s accounts.

Android phones dominated the platform, making up 81% of users, while iPhones made up the remaining 19%. Wealthier regions showed higher iPhone usage.

More than half of all users had a profile photo, and nearly one in three wrote a short bio. About 9% labeled themselves as business accounts, while roughly the same number used at least one linked device.

Accounts in Countries Where WhatsApp Is Banned

The study also found active users in countries where WhatsApp is officially blocked. China had over 2.3 million accounts, Myanmar had 1.6 million, and Iran had about 59 million users before a ban was lifted in December 2024. Within three months, that number jumped to over 67 million, with linked device use tripling.

North Korea, with its strict controls, showed only five accounts. In places where online speech can lead to punishment, even proof of account ownership can put lives at risk.

Faces, Locations, and Exposure

Millions of users also shared deeply personal details. Some posted political opinions, while others included faith symbols, sexual identity, or street slang tied to drugs. Many listed email addresses, social media names, or business links.

Risks in Profile Photos

Profile photos carried their own dangers. The researchers downloaded 77 million images from U.S.-based accounts alone. Automated scans revealed that two-thirds of these images contained clear human faces. Others revealed street scenes, homes, or workplaces.

This opens the door to creating a reverse phone directory powered by facial recognition. It also makes targeting easier for scammers, stalkers, or hostile governments.

Strange Behavior in Encryption Keys

Although messages remained protected, the researchers noticed troubling patterns in how some encryption keys were handled. Each device should have a unique identifier, but 2.3 million keys were reused across almost three million devices. One public key belonged to 20 U.S. numbers, and its private key was all zeros.

This suggests a flaw in random number generation in some unofficial clients or possible fraud. In rare cases, bad actors could impersonate someone or secretly add their own devices to accounts.

Old Leaks That Still Matter

To understand how long phone data remains valuable, the team tested numbers from a massive Facebook leak in 2018 that became public years later. Out of 488 million numbers, over 280 million still worked on WhatsApp.

In some countries, nearly four out of ten active numbers overlapped with the old leak. Once a number escapes into the wild, it may remain useful for criminals for years.

A Flaw Now Addressed

The researchers shared their findings with Meta, WhatsApp’s parent company, before publication. The company confirmed the issue has since been fixed.

“We are grateful to the University of Vienna researchers for their responsible partnership,” said Nitin Gupta, vice president of engineering at WhatsApp. “This collaboration successfully identified a novel enumeration technique that surpassed our intended limits. We had already been working on anti-scraping systems, and this study helped confirm their strength.”

The researchers deleted all data before publishing and did not share personal information. Their full findings will be presented in 2026 at the Network and Distributed System Security Symposium. A preprint is already public.

“These findings remind us that even mature, widely trusted systems can contain flaws with real-world consequences,” Gegenhuber said. “Security and privacy are not one-time victories. They must be constantly tested.”

Research findings are available online in the journal arXiv.