Winning Bizness Desk

Mumbai. A major security weakness in WhatsApp has put the data of more than 3.5 billion users at risk, allowing profile photos, status updates and details from the about section to be accessed without permission. Researchers at the University of Vienna uncovered this vulnerability during an extensive study on WhatsApp’s contact discovery feature.

Researchers explain how flaw enables misuse

The weakness lies in the platform’s contact discovery system, which is designed to sync a user’s phonebook with WhatsApp to help locate contacts who use the app. However, this mechanism unintentionally opened a path for large-scale harvesting of user information.

To demonstrate the scale of the issue, University of Vienna researchers used the Libphonenumber tool to generate realistic phone numbers from 245 countries. They then connected to WhatsApp’s XMPP protocol and sent automated queries to check which numbers were active and what profile details they revealed.

During the study, researchers ran several checks:

• Queries from 5 accounts scanned 63 billion potential phone numbers
• The system detected 3.5 billion active WhatsApp numbers at a speed of nearly 100 million per hour
• Profile photos of 56.7 percent users were exposed
• About section texts of 29.3 percent accounts were visible
• Many texts contained political views, religious notes or links to other social media accounts

India records highest share of exposed accounts

The study found that India had the highest number of users affected, with 74.9 crore active accounts, accounting for 21.67 percent of the total exposed base. Indonesia followed with 23.5 crore accounts, while Brazil had 20.7 crore, the United States 13.8 crore and Russia 13.3 crore.

The exposed users included 81 percent Android users and 19 percent using iOS. The researchers also pointed out that around 9 percent of the accounts were business accounts, which tend to share more details due to the way business features operate.

In several regions such as West Africa, nearly 80 percent of users had fully public profiles, mainly because WhatsApp remains the primary mode of communication.

WhatsApp responds to the research findings

Nitin Gupta, WhatsApp’s Vice President of Engineering, said the research helped the company test its existing anti-scraping protections. He added that there was no sign that the flaw had been misused so far.

Gupta said Meta is now working on stronger anti-scraping systems to prevent such data-gathering attempts in the future.

Experts warn users to take privacy seriously

Cybersecurity experts urged users to review their privacy settings to reduce risks. They suggested limiting visibility of sensitive profile details and avoiding personal information in the about section.

They added that business users should rely on the secure tools available through WhatsApp Business API.

Key user-side precautions include:

• Keep profile visibility restricted to contacts
• Avoid putting personal details in the about section
• Limit visibility of status updates
• Review WhatsApp Business settings for data security

Concern rises over long-term privacy risks

While researchers believe the issue will push Meta to strengthen defences, they also said that privacy protection is now a shared responsibility.

Users were advised to remain careful, as more data-driven scams and targeted frauds could emerge from such vulnerabilities. Keeping personal information limited and regularly updating privacy settings are now essential steps for safer digital communication.