The Worldâs the Limit
WhatsApp, Metaâs instant messaging and Voice over IP service, was recently the focus of a research study through the University of Vienna, and its results were astounding. 3.5 billion mobile phone numbers â and the associated personal information connected to them â were compiled using the appâs lack of rate limiting to abuse contact-discovery API.
Application Programming Interface (API) is widely used for sharing information, especially on social media platforms. Itâs in that hyperlinked âpeople you may knowâ suggestion used almost everywhere that networking is. As a tool, itâs invaluable to those looking for their professional peers (like on LinkedIn), or expanding their social circle (like on Facebook, X, Instagram, Tumblr, etc). But it is an overlooked security gap.
The study, run from a single university server and five authenticated sessions, presumed they would be halted by the appâs security measures. They werenât. The accounts werenât blocked, the traffic wasnât throttled, the IP address wasnât restricted and perhaps most concerning, WhatsApp never attempted contact to see how and why one device was doing all this scraping. The researchers were able to collect 63 billion mobile numbers from around the globe, and then tested them against the API, which returned with their results. Aside from just generating data on which numbers are associated with WhatsApp accounts, the researchers were also able to gather data from other API endpoints, including GetUserInfo, GetPrekeys, and FetchPicture.
The research team reached out to WhatsApp themselves to report their findings, which then began the process of plugging this enormous opportunity for abuse by rate limiting API queries. As stated in the paper written about this study: âThe dataset contains phone numbers, timestamps, about text, profile pictures, and public keys for E2EE encryption, and its release would entail adverse implications to the included users.â The team said this would qualify as the largest data leak in history if it hadnât been conducted under purely empirical conditions. No kidding. 3.5 billion users is, without hyperbole, half the world. Imagine if this had been run by a threat actor using LummaStealer.
WhatsApp isnât the only place where contact-discovery API is not adequately protected from abuse. In 2021, Facebook's âAdd Friendâ feature was exploited to allow uploaded contact lists to check whether those numbers were on the platform. In the end, threat actors were able to create profiles for 533 million users that included their numbers, Facebook IDs, names, and more. No rate limiting was in place. Twitter suffered a similar incident in 2022, and Dell in 2024. Whatâs highlighted here is a need for better foundational security for information sharing since this is becoming a popular vector for cybercrime. Rate limiting will help, but doesnât address the underlying problem in online privacy: the lack thereof.
Posted on LinkedIn, 11/24/25















