Key improvements to WhatsApp security following review of its contact system

In November 2025, researchers at the University of Vienna and SBA Research discovered a vulnerability in WhatsApp's “contact discovery” feature. Their investigation revealed that the system allowed bulk queries to check whether a phone number was registered on the platform. The combination of this circumstance with the lack of effective limits on the volume of requests made it possible to obtain information on millions of active accounts in a short period of time.

Scientists were able to recognize nearly 3.5 billion accounts, a number much higher than WhatsApp officially considers to be users. The vulnerability, in addition to validating phone numbers, enabled access to public information linked to each profile, including images, status texts, some technical metadata, and public encryption keys. Although private messages were not compromised, the scope of potential access posed a significant risk for social engineering, phishing, and spam campaigns. After receiving the communication, the company responsible implemented measures to mitigate the problem, including traffic restrictions, anti-scraping improvements, and strengthened privacy controls. The data collected by the researchers was deleted by them after the investigation was completed.

Currently, there is no evidence that malicious actors exploited the vulnerability before it was disclosed, nor is it considered a threat. However, the issue has reopened the discussion about the use of phone numbers as the primary identifier. WhatsApp is expected to continue strengthening regulations related to contact discovery, and external audits are expected to become more significant in the future. The recommendation for users continues to be to review and modify their privacy settings to reduce the visibility of elements such as their profile photo or status when it is not necessary to share them publicly.