Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

WhatsApp contact-discovery API rate-limiting security flaw

Vulnerability
First reported
Last updated
Happening score
H score 41
1 unique sources, 1 articles

Summary

Hide ▲

Researchers confirmed that WhatsApp's contact-discovery API lacked rate limiting, enabling large-scale enumeration of user accounts and profile data. The GetDeviceList API endpoint was used to check more than 100 million numbers per hour and identify 3.5 billion active accounts. The same weakness also exposed profile photos, about text, and other device information. WhatsApp later added rate-limiting protections after the issue was reported.

Related Happenings

NoVoice Android malware hidden in Google Play apps

Malware Activity
First: 01.04.2026 21:07 Last: 01.04.2026 21:07 Sources 1

About this happening: **NoVoice** Android malware was found hidden in **more than 50 Google Play apps**, exposing **at least 2.3 million downloads** to compromise. After installation, it used **old And...

Open Happening

Signal and WhatsApp anti-phishing account-hardening guidance

Defensive Guidance
First: 21.03.2026 15:17 Last: 21.03.2026 15:17 Sources 1

About this happening: A **UK National Cyber Security Centre (NCSC)** alert on **March 31** warned that **Russia-based actors** are increasing **targeted attacks** against **high-risk individuals** usin...

Open Happening

FBI public warning on Signal and WhatsApp phishing

Public Sector Action
First: 20.03.2026 22:45 Last: 20.03.2026 22:45 Sources 1

About this happening: The **FBI** issued a **public service announcement** warning that **Signal** and **WhatsApp** users are being targeted in **phishing campaigns**. The warning says the activity has...

Open Happening

SORVEPOTEL WhatsApp malware campaign spreads across Brazil

Campaign
First: 12.03.2026 19:31 Last: 12.03.2026 19:31 Sources 1

About this happening: A **WhatsApp** malware campaign in **Brazil** is spreading **SORVEPOTEL**, a **self-propagating Windows malware** that uses **phishing ZIP attachments** and a desktop-only lure to...

Open Happening

WhatsApp rolls out parent-managed accounts for pre-teens with contact and group controls

Security Tool/Service
First: 11.03.2026 22:06 Last: 11.03.2026 22:06 Sources 1

About this happening: **WhatsApp** is rolling out **parent-managed accounts for pre-teens**, adding controls that let parents decide who can contact a child and which groups they can join. The managed...

Open Happening

Timeline

  1. 22.11.2025 20:53 2 articles · 6mo ago

    WhatsApp contact-discovery API weakness exposes 3.5 billion accounts

    Initial Disclosure

    University of Vienna and SBA Research used WhatsApp's contact-discovery / GetDeviceList API, which lacked rate limiting, to send high-volume queries from authenticated sessions and enumerate 3.5 billion active accounts while also collecting profile photos, public "about" text, and other device-linked data; after the issue was reported, WhatsApp added rate-limiting protections.

    Show sources
    Open in new tab