Researchers Expose WhatsApp Vulnerability Allowing Enumeration of 3.5 Billion Profiles

21 Nov 2025

Breaking NewsHackingMobileSecurityhacking newsinformation security newsIT Information SecurityMetaPierluigi PaganiniSecurity AffairsSecurity NewsWhatsAppEnumeration AttackPrivacyResponsible DisclosureData ExposureVulnerability Management

Researchers from the University of Vienna have uncovered a significant vulnerability in WhatsApp that permitted the enumeration of approximately 3.5 billion user profiles. This flaw allowed attackers to query WhatsApp servers to determine which phone numbers were associated with active accounts. The technique involved sending queries to WhatsApp's servers, which would respond differently depending on whether a phone number was registered with the service. This enumeration attack posed substantial privacy risks, as it could expose users' phone numbers, leading to potential targeted attacks such as phishing or social engineering. Meta has since addressed the vulnerability by implementing measures to block this enumeration technique. This incident underscores the importance of robust rate-limiting and access controls to prevent such attacks. For cybersecurity professionals, this serves as a reminder to regularly audit systems for enumeration vulnerabilities and implement strong protective measures. The discovery and responsible disclosure of this vulnerability highlight the critical role of ongoing security research in maintaining user privacy and security.