WhatsApp API Flaw Enabled Large-Scale User Enumeration

First reported

22.11.2025 20:53

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Researchers exploited a WhatsApp API flaw to scrape 3.5 billion active accounts by abusing the contact-discovery feature. The lack of rate limiting allowed them to query over 100 million numbers per hour, gathering profile photos, 'about' text, and device information. WhatsApp has since added rate-limiting protections to prevent similar abuse. The study highlights a common tactic used by threat actors to scrape user information from unprotected APIs, with similar incidents occurring on Facebook, Twitter, and Dell.

Timeline

22.11.2025 20:53 1 articles · 23h ago

WhatsApp API Flaw Enabled Large-Scale User Enumeration
Researchers exploited a WhatsApp API flaw to scrape 3.5 billion active accounts by abusing the contact-discovery feature. The lack of rate limiting allowed them to query over 100 million numbers per hour, gathering profile photos, 'about' text, and device information. WhatsApp has since added rate-limiting protections to prevent similar abuse.
Show sources

WhatsApp API flaw let researchers scrape 3.5 billion accounts — www.bleepingcomputer.com — 22.11.2025 20:53
Open in new tab

Information Snippets

Researchers used WhatsApp's GetDeviceList API endpoint to check if phone numbers were associated with active accounts.
First reported: 22.11.2025 20:53

1 source, 1 article
Show sources
- WhatsApp API flaw let researchers scrape 3.5 billion accounts — www.bleepingcomputer.com — 22.11.2025 20:53
The researchers queried over 100 million numbers per hour without being throttled or blocked by WhatsApp.
First reported: 22.11.2025 20:53

1 source, 1 article
Show sources
- WhatsApp API flaw let researchers scrape 3.5 billion accounts — www.bleepingcomputer.com — 22.11.2025 20:53
The study identified 3.5 billion active WhatsApp accounts globally, with the highest usage in India (749 million).
First reported: 22.11.2025 20:53

1 source, 1 article
Show sources
- WhatsApp API flaw let researchers scrape 3.5 billion accounts — www.bleepingcomputer.com — 22.11.2025 20:53
Additional API endpoints like GetUserInfo, GetPrekeys, and FetchPicture were used to collect profile photos, 'about' text, and device information.
First reported: 22.11.2025 20:53

1 source, 1 article
Show sources
- WhatsApp API flaw let researchers scrape 3.5 billion accounts — www.bleepingcomputer.com — 22.11.2025 20:53
58% of the leaked Facebook numbers from 2021 were still active on WhatsApp in 2025.
First reported: 22.11.2025 20:53

1 source, 1 article
Show sources
- WhatsApp API flaw let researchers scrape 3.5 billion accounts — www.bleepingcomputer.com — 22.11.2025 20:53
WhatsApp has since added rate-limiting protections to prevent similar abuse.
First reported: 22.11.2025 20:53

1 source, 1 article
Show sources
- WhatsApp API flaw let researchers scrape 3.5 billion accounts — www.bleepingcomputer.com — 22.11.2025 20:53