WhatsApp contact-discovery API rate-limiting security flaw
Vulnerability
Summary
Hide ▲
Show ▼
Researchers confirmed that WhatsApp's contact-discovery API lacked rate limiting, enabling large-scale enumeration of user accounts and profile data. The GetDeviceList API endpoint was used to check more than 100 million numbers per hour and identify 3.5 billion active accounts. The same weakness also exposed profile photos, about text, and other device information. WhatsApp later added rate-limiting protections after the issue was reported.
Related Happenings
NoVoice Android malware hidden in Google Play apps
Malware Activity
H score21
First: 01.04.2026 21:07
Last: 01.04.2026 21:07
Sources 1
About this happening:
**NoVoice** Android malware was found hidden in **more than 50 Google Play apps**, exposing **at least 2.3 million downloads** to compromise. After installation, it used **old And...
NoVoice Android malware hidden in Google Play apps
Malware ActivityAbout this happening: **NoVoice** Android malware was found hidden in **more than 50 Google Play apps**, exposing **at least 2.3 million downloads** to compromise. After installation, it used **old And...
Signal and WhatsApp anti-phishing account-hardening guidance
Defensive Guidance
H score26
First: 21.03.2026 15:17
Last: 21.03.2026 15:17
Sources 1
About this happening:
A **UK National Cyber Security Centre (NCSC)** alert on **March 31** warned that **Russia-based actors** are increasing **targeted attacks** against **high-risk individuals** usin...
Signal and WhatsApp anti-phishing account-hardening guidance
Defensive GuidanceAbout this happening: A **UK National Cyber Security Centre (NCSC)** alert on **March 31** warned that **Russia-based actors** are increasing **targeted attacks** against **high-risk individuals** usin...
FBI public warning on Signal and WhatsApp phishing
Public Sector Action
H score30
First: 20.03.2026 22:45
Last: 20.03.2026 22:45
Sources 1
About this happening:
The **US Department of State** is offering **up to $10 million** through the **Rewards for Justice** program for information that helps identify or locate **UNC5792** and **UNC422...
FBI public warning on Signal and WhatsApp phishing
Public Sector ActionAbout this happening: The **US Department of State** is offering **up to $10 million** through the **Rewards for Justice** program for information that helps identify or locate **UNC5792** and **UNC422...
Latest development: 29.06.2026 12:29
The US government offered up to $10 million for information leading to the identification of UNC5792 and UNC4221, Russian intelligence-linked threat actors targeting Signal and WhatsApp users by posing as automated support accounts and stealing verification codes or Backup Recovery Keys; CISA and the FBI warned that sharing a Backup Recovery Key can let the actor access historical private and group messages and potentially keep access after a new account is created with the same phone number.
SORVEPOTEL WhatsApp malware campaign spreads across Brazil
Campaign
H score31
First: 12.03.2026 19:31
Last: 12.03.2026 19:31
Sources 1
About this happening:
A **WhatsApp** malware campaign in **Brazil** is spreading **SORVEPOTEL**, a **self-propagating Windows malware** that uses **phishing ZIP attachments** and a desktop-only lure to...
SORVEPOTEL WhatsApp malware campaign spreads across Brazil
CampaignAbout this happening: A **WhatsApp** malware campaign in **Brazil** is spreading **SORVEPOTEL**, a **self-propagating Windows malware** that uses **phishing ZIP attachments** and a desktop-only lure to...
WhatsApp rolls out parent-managed accounts for pre-teens with contact and group controls
Security Tool/Service
H score11
First: 11.03.2026 22:06
Last: 11.03.2026 22:06
Sources 1
About this happening:
**WhatsApp** is rolling out **parent-managed accounts for pre-teens**, adding controls that let parents decide who can contact a child and which groups they can join. The managed...
WhatsApp rolls out parent-managed accounts for pre-teens with contact and group controls
Security Tool/ServiceAbout this happening: **WhatsApp** is rolling out **parent-managed accounts for pre-teens**, adding controls that let parents decide who can contact a child and which groups they can join. The managed...
Timeline
-
22.11.2025 20:53 2 articles · 7mo ago
WhatsApp contact-discovery API weakness exposes 3.5 billion accounts
Initial DisclosureUniversity of Vienna and SBA Research used WhatsApp's contact-discovery / GetDeviceList API, which lacked rate limiting, to send high-volume queries from authenticated sessions and enumerate 3.5 billion active accounts while also collecting profile photos, public "about" text, and other device-linked data; after the issue was reported, WhatsApp added rate-limiting protections.
Show sources
- WhatsApp API flaw let researchers scrape 3.5 billion accounts — www.bleepingcomputer.com — 22.11.2025 20:53
- WhatsApp API flaw let researchers scrape 3.5 billion accounts — www.bleepingcomputer.com — 22.11.2025 20:53