Researchers in Austria used a flaw in WhatsApp to gather the personal data of more than 3.5 billion users in what they believe amounts to the "largest data leak in history."

The messaging platform allows users to look up others' details by inputting their phone numbers. The feature, which has been part of the platform for years, can be abused to enumerate user data, including phone number, name, and in some cases their profile image if they have one set.

Using this feature, the researchers were able to gather user details at a rate of over 100 million accounts per hour by plugging in 63 billion phone numbers generated using a tool they built using the underlying tech of Google's libphonenumber.

In typical settings, platforms would rely on rate limiting to prevent this kind of abuse, but WhatsApp still allowed enumeration on this scale without the researchers "encountering blocking or effective rate limiting."

The researchers wrote [PDF]: "To our surprise, neither our IP address nor our accounts have been blocked by WhatsApp. Moreover, we did not experience any prohibitive rate-limiting. With our query rate of 7,000 phone numbers per second (and session), we could confirm 3.5 billion phone numbers registered on WhatsApp (exceeding the "more than 2 billion people" officially stated by WhatsApp)."

More than 57 percent of the active accounts they enumerated had a profile picture, two-thirds of which contained detectable human faces, which the researchers said could be used to build a reverse phonebook where a person's image reveals other details about them.

Around 29 percent had text in their profile that could also build a fuller picture of each user.

Reporters, researchers, and other interested parties can often look at the coverage of data breaches, see that only basic personal information is included, and conclude that the severity of these incidents, realistically, is fairly low, given that this is often in the public domain already.

However, the text included in profiles could, in some cases, reveal additional sensitive information about the user, such as their sexual orientation, political views, drug use and trafficking, links to other platforms such as LinkedIn and Tinder, and professional email addresses.

Regarding the latter, the researchers were able to link enumerated phone numbers to government and military officials too.

Furthermore, several countries ban WhatsApp. China, Myanmar, and North Korea are notable examples, while other countries like Iran and Senegal have previously instituted bans and later rescinded them.

However, millions of active WhatsApp accounts were associated with phone numbers registered in these countries, a revelation consistent with WhatsApp boss Will Cathcart's previous admission.

Countries such as China are known for persecuting people for breaking rules, such as circumventing bans on WhatsApp and other platforms. The consequences can reportedly include detention and being sent to re-education camps.

Less critical, but still pertinent, is the potential for abuse by cybercriminals and troublemakers.

The researchers said: "Large-scale databases of registered phone numbers can be misused by attackers. Since a registered number typically indicates an active device, these lists are a reliable basis for spam, phishing, or robocall attacks."

They also said it raises the question of how long this information remains valid and therefore open to abuse.

Taking the data from the great Facebook data scrape of 2021 – which saw the phone numbers, locations, email addresses, birthdays, and marital statuses of 533 million people's profiles collected – the research team found that half of the phone numbers were still active among the 3.5 billion records they collected from WhatsApp.

The Register asked Meta for more information, including whether it has implemented any additional protections after the researchers disclosed the potential for abuse via its bug bounty program.

The tech giant did not address the efficacy or existence of additional security measures following the researchers' submission in its response, but said it was already working on anti-scraping systems.

Nitin Gupta, VP of engineering at WhatsApp, said: "We are grateful to the University of Vienna researchers for their responsible partnership and diligence under our Bug Bounty program. This collaboration successfully identified a novel enumeration technique that surpassed our intended limits, allowing the researchers to scrape basic publicly available information.

"We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defenses. Importantly, the researchers have securely deleted the data collected as part of the study, and we have found no evidence of malicious actors abusing this vector.

"As a reminder, user messages remained private and secure thanks to WhatsApp's default end-to-end encryption, and no non-public data was accessible to the researchers."

We also spoke to Gabriel Gegenhuber, a PhD candidate at the University of Vienna and researcher at SBA Research who co-authored the paper, and he confirmed that Meta's response was effective at preventing its methods.

He told us: "We supported Meta/WhatsApp with our knowledge in their remediation and retesting process.

"As part of that process, we have tried the exact same steps as for the original study, but were blocked swiftly. So we can confirm there are countermeasures in place now.

"This was, of course, not a detailed security audit of the entire WhatsApp infrastructure.

"As usual in security, the existence of security/privacy issues is easier to prove than their non-existence."

He also pointed to the disclosure timeline, as set out in the paper, and how it took Meta nearly a year to provide a meaningful response to the numerous tickets they raised throughout the research process.

Meta only requested a conference call to discuss the findings and asked the team members to delay publication after they supplied the company with a pre-print of their paper and notified them of their intention to publish.

"However, as soon as they realized the extent of the issue, they took it seriously and reacted promptly," said Gegenhuber. ®