Find notable cyber news and cases, enriched with sources, timelines, and signals.

WhatsApp contact-discovery API rate-limiting security flaw

Vulnerability
First reported
Last updated
Happening score
H score 89
1 unique sources, 1 articles

Summary

Hide ▲

Researchers confirmed that WhatsApp's contact-discovery API lacked rate limiting, enabling large-scale enumeration of user accounts and profile data. The GetDeviceList API endpoint was used to check more than 100 million numbers per hour and identify 3.5 billion active accounts. The same weakness also exposed profile photos, about text, and other device information. WhatsApp later added rate-limiting protections after the issue was reported.

Related Happenings

NoVoice Android malware hidden in Google Play apps

Malware Activity
H score21 First: 01.04.2026 21:07 Last: 01.04.2026 21:07 Sources 1

About this happening: **NoVoice** Android malware was found hidden in **more than 50 Google Play apps**, exposing **at least 2.3 million downloads** to compromise. After installation, it used **old And...

Signal and WhatsApp anti-phishing account-hardening guidance

Defensive Guidance
H score26 First: 21.03.2026 15:17 Last: 21.03.2026 15:17 Sources 1

About this happening: A **UK National Cyber Security Centre (NCSC)** alert on **March 31** warned that **Russia-based actors** are increasing **targeted attacks** against **high-risk individuals** usin...

FBI public warning on Signal and WhatsApp phishing

Public Sector Action
H score30 First: 20.03.2026 22:45 Last: 20.03.2026 22:45 Sources 1

About this happening: The **US Department of State** is offering **up to $10 million** through the **Rewards for Justice** program for information that helps identify or locate **UNC5792** and **UNC422...

Latest development: 29.06.2026 12:29

The US government offered up to $10 million for information leading to the identification of UNC5792 and UNC4221, Russian intelligence-linked threat actors targeting Signal and WhatsApp users by posing as automated support accounts and stealing verification codes or Backup Recovery Keys; CISA and the FBI warned that sharing a Backup Recovery Key can let the actor access historical private and group messages and potentially keep access after a new account is created with the same phone number.

SORVEPOTEL WhatsApp malware campaign spreads across Brazil

Campaign
H score31 First: 12.03.2026 19:31 Last: 12.03.2026 19:31 Sources 1

About this happening: A **WhatsApp** malware campaign in **Brazil** is spreading **SORVEPOTEL**, a **self-propagating Windows malware** that uses **phishing ZIP attachments** and a desktop-only lure to...

WhatsApp rolls out parent-managed accounts for pre-teens with contact and group controls

Security Tool/Service
H score11 First: 11.03.2026 22:06 Last: 11.03.2026 22:06 Sources 1

About this happening: **WhatsApp** is rolling out **parent-managed accounts for pre-teens**, adding controls that let parents decide who can contact a child and which groups they can join. The managed...

Timeline

  1. 22.11.2025 20:53 2 articles · 7mo ago

    WhatsApp contact-discovery API weakness exposes 3.5 billion accounts

    Initial Disclosure

    University of Vienna and SBA Research used WhatsApp's contact-discovery / GetDeviceList API, which lacked rate limiting, to send high-volume queries from authenticated sessions and enumerate 3.5 billion active accounts while also collecting profile photos, public "about" text, and other device-linked data; after the issue was reported, WhatsApp added rate-limiting protections.

    Show sources