Security researchers successfully compiled a database of 3.5 billion WhatsApp user accounts by exploiting an API endpoint that lacked rate-limiting protections. The contact-discovery feature, which allows users to check if a phone number is registered on the platform, was abused to perform automated queries at a massive scale. From a single server, the team was able to check over 100 million numbers per hour without being blocked or throttled.
The researchers generated a list of 63 billion potential phone numbers and systematically queried WhatsApp's servers to identify active accounts. This process revealed extensive global usage, with India having the most users (749 million), followed by Indonesia and Brazil. The study also uncovered millions of active accounts in countries where WhatsApp was officially banned, such as China and Iran.
Beyond verifying account existence, the researchers used additional API endpoints to harvest profile pictures, "about" text, and other public user data. This incident highlights a common security weakness where APIs designed for functionality can be weaponized for data scraping. While the researchers acted responsibly, the same technique could be used maliciously to create one of the largest data leaks in history. Following the disclosure, WhatsApp has since implemented rate-limiting to prevent similar abuse.
Read more...