univie.ac.at
University of Vienna
18.11.2025
IT-Security Researchers from the University of Vienna and SBA Research identified and responsibly disclosed a large-scale privacy weakness in WhatsApp's contact discovery mechanism that allowed the enumeration of 3.5 billion accounts. In collaboration with the researchers, Meta has since addressed and mitigated the issue. The study underscores the importance of continuous, independent security research on widely used communication platforms and highlights the risks associated with the centralization of instant messaging services. The preprint of the study has now been published, and the results will be presented in 2026 at the Network and Distributed System Security (NDSS) Symposium.
WhatsApp's contact discovery mechanism can use a user's address book to find other WhatsApp users by their phone number. Using the same underlying mechanism, the researchers demonstrated that it was possible to query more than 100 million phone numbers per hour through WhatsApp's infrastructure, confirming more than 3.5 billion active accounts across 245 countries. "Normally, a system shouldn't respond to such a high number of requests in such a short time — particularly when originating from a single source," explains lead author Gabriel Gegenhuber from the University of Vienna. "This behavior exposed the underlying flaw, which allowed us to issue an effectively unlimited requests to the server and, in doing so, map user data worldwide."
The accessible data items used in the study are the same that are public for anyone who knows a user's phone number and consist of: phone number, public keys, timestamps, and, if set to public, about text and profile picture. From these data points, the researchers were able to extract additional information, which allowed them to infer a user's operating system, account age, as well as the number of linked companion devices. The study shows that even this limited amount of data per user can reveal important information, both on macroscopic and individual levels.
The study also revealed a range of broader insights:
Millions of active WhatsApp accounts were identified in countries where the platform was officially banned, including China, Iran, and Myanmar.
Population-level insights into platform usage, such as the global distribution of Android (81%) versus iOS (19%) devices, regional differences in privacy behavior (e.g., use of public profile pictures or "about" tagline), and variations in user growth across countries.
A small number of cases showed re-use of cryptographic keys across different devices or phone numbers, pointing to potential weaknesses in non-official WhatsApp clients or fraudulent use.
Nearly half of all phone numbers that appeared in the 2021 Facebook data leak of 500 million phone numbers (caused by a scraping incident in 2018) were still active on WhatsApp. This highlights the enduring risks for leaked numbers (e.g., being targeted in scam calls) associated with such exposures.
The study did not involve access to message content, and no personal data was published or shared. All retrieved data was deleted by the researchers prior to publication. Message content on WhatsApp is “end-to-end encrypted” and was not affected at any time. “This end-to-end encryption protects the content of messages, but not necessarily the associated metadata,” explains last author Aljosha Judmayer from the University of Vienna. “Our work shows that privacy risks can also arise when such metadata is collected and analysed on a large scale.”
“These findings remind us that even mature, widely trusted systems can contain design or implementation flaws that have real-world consequences," says lead author Gabriel Gegenhuber from the University of Vienna: "They show that security and privacy are not one-time achievements, but must be continuously re-evaluated as technology evolves."
"Building on our previous findings on delivery receipts and key management, we are contributing to a long-term understanding of how messaging systems evolve and where new risks arise," adds co-author Maximilian Günther from the University of Vienna.
“We are grateful to the University of Vienna researchers for their responsible partnership and diligence under our Bug Bounty program. This collaboration successfully identified a novel enumeration technique that surpassed our intended limits, allowing the researchers to scrape basic publicly available information. We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defenses. Importantly, the researchers have securely deleted the data collected as part of the study, and we have found no evidence of malicious actors abusing this vector. As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers”, says Nitin Gupta, Vice President of Engineering at WhatsApp.
Ethical Handling and Disclosure
The research was conducted with strict ethical guidelines and in accordance with responsible disclosure principles. The findings were promptly reported to Meta, the operator of WhatsApp, which has since implemented countermeasures (e.g., rate-limiting, stricter profile information visibility) to close the identified vulnerability. The authors argue that transparency, academic scrutiny, and independent testing are essential to maintaining trust in global communication services. They emphasize that proactive collaboration between researchers and industry can significantly improve user privacy and prevent abuse.
Research Context
This publication represents the third study by researchers from the University of Vienna and SBA Research examining the security and privacy of prevalent instant messengers such as WhatsApp and Signal. The team investigates how design and implementation choices in end-to-end encrypted messaging services can unintentionally expose user information or weaken privacy guarantees.
Earlier this year, the researchers published "Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers" (distinguished with the Best Paper Award at RAID 2025), which demonstrated how silent pings and their delivery receipts could be abused to infer user activity patterns and online behavior on WhatsApp and similar messaging platforms. Later that same year, "Prekey Pogo: Investigating Security and Privacy Issues in WhatsApp's Handshake Mechanism" (presented at USENIX WOOT 2025) analyzed the cryptographic foundations of WhatsApp's prekey distribution mechanism, revealing implementation weaknesses of the Signal-based protocol.
"By building on our earlier findings about delivery receipts and key management, we're contributing to a long-term understanding of how messaging systems evolve, and where new risks emerge." said Maximilian Günther (University of Vienna).
The current study, "Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy", extends this line of research to the global scope, showing how contact discovery mechanisms can unintentionally allow large-scale user enumeration at an unprecedented magnitude. It will appear in the proceedings of the NDSS Symposium 2026, one of the leading international conferences on computer and network security.
Publication: Gabriel K. Gegenhuber, Philipp É. Frenzel, Maximilian Günther, Johanna Ullrich und Aljosha Judmayer: Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy. In: Network and Distributed System Security Symposium (NDSS), 2026.
techcrunch.com Zack Whittaker
11:15 AM PDT · August 29, 2025
A spyware vendor was behind a recent campaign that abused a vulnerability in WhatsApp to deliver an exploit capable of hacking into iPhones and Macs.
WhatsApp said on Friday that it fixed a security bug in its iOS and Mac apps that was being used to stealthily hack into the Apple devices of “specific targeted users.”
The Meta-owned messaging app giant said in its security advisory that it fixed the vulnerability, known officially as CVE-2025-55177, which was used alongside a separate flaw found in iOS and Macs, which Apple fixed last week and tracks as CVE-2025-43300.
Apple said at the time that the flaw was used in an “extremely sophisticated attack against specific targeted individuals.” Now we know that dozens of WhatsApp users were targeted with this pair of flaws.
Donncha Ó Cearbhaill, who heads Amnesty International’s Security Lab, described the attack in a post on X as an “advanced spyware campaign” that targeted users over the past 90 days, or since the end of May. Ó Cearbhaill described the pair of bugs as a “zero-click” attack, meaning it does not require any interaction from the victim, such as clicking a link, to compromise their device.
The two bugs chained together allow an attacker to deliver a malicious exploit through WhatsApp that’s capable of stealing data from the user’s Apple device.
Per Ó Cearbhaill, who posted a copy of the threat notification that WhatsApp sent to affected users, the attack was able to “compromise your device and the data it contains, including messages.”
It’s not immediately clear who, or which spyware vendor, is behind the attacks.
When reached by TechCrunch, Meta spokesperson Margarita Franklin confirmed the company detected and patched the flaw “a few weeks ago” and that the company sent “less than 200” notifications to affected WhatsApp users.
The spokesperson did not say, when asked, if WhatsApp has evidence to attribute the hacks to a specific attacker or surveillance vendor.
This is not the first time that WhatsApp users have been targeted by government spyware, a kind of malware capable of breaking into fully patched devices with vulnerabilities not known to the vendor, known as zero-day flaws.
In May, a U.S. court ordered spyware maker NSO Group to pay WhatsApp $167 million in damages for a 2019 hacking campaign that broke into the devices of more than 1,400 WhatsApp users with an exploit capable of planting NSO’s Pegasus spyware. WhatsApp brought the legal case against NSO, citing a breach of federal and state hacking laws, as well as its own terms of service.
Earlier this year, WhatsApp disrupted a spyware campaign that targeted around 90 users, including journalists and members of civil society across Italy. The Italian government denied its involvement in the spying campaign. Paragon, whose spyware was used in the campaign, later cut off Italy from its hacking tools for failing to investigate the abuse.
france24.com In what it called an effort to "combat criminals," Russia said Wednesday it would restrict calls on the popular messaging apps WhatsApp and Telegram, platforms a watchdog says are used for fraud, extortion, and that involve Russian citizens in "terrorist activities."
Russia announced curbs on calls on the WhatsApp and Telegram messenger apps on Wednesday, saying that this was necessary to fight criminality, state media reported.
"In order to combat criminals, measures are being taken to partially restrict calls on these foreign messaging apps (WhatsApp and Telegram)," communications watchdog Roskomnadzor said, as quoted by the RIA and TASS news agencies.
The messenger apps have become "the main voice services used for fraud and extortion, and for involving Russian citizens in subversive and terrorist activities," the watchdog added.
Russian security services have frequently claimed that Ukraine was using Telegram to recruit people or commit acts of sabotage in Russia.
Moscow wants the messengers to provide access to data upon request from law enforcement, not only for fraud probes but also for investigating activities that Russia describes as terrorist ones.
"Access to calls in foreign messengers will be restored after they start complying with Russian legislation," Russia's digital ministry said.
In a statement sent to AFP, Telegram said it "actively combats misuse of its platform, including calls for sabotage or violence, as well as fraud" and removes "millions of pieces of harmful content every day".
Since launching its offensive in Ukraine, Russia has drastically restricted press freedom and freedom of speech online.
"WhatsApp is private, end-to-end encrypted, and defies government attempts to violate people's right to secure communication, which is why Russia is trying to block it from over 100 million Russian people," a spokesperson for Meta-owned WhatsApp told AFP.
More than 100 million people in Russia use WhatsApp for messages and calls, and the platform is concerned that this is an effort to push them onto platforms more vulnerable to government surveillance, according to the spokesperson.
(FRANCE 24 with AFP)
The hack into the account of the country’s top security official has drawn criticism online.
Malaysia’s home minister had his WhatsApp account hacked and then abused to send malicious links to his contacts, according to police.
The attacker reportedly used a virtual private network (VPN) to compromise the account of Datuk Seri Saifuddin Nasution Ismail, authorities said at a press conference on Friday, adding that no victims have reported financial losses so far. They did not elaborate on how the hack was carried out.
The Ministry of Home Affairs, which oversees law enforcement, immigration and censorship, confirmed the incident and urged the public not to respond to any messages or calls claiming to be from the minister, especially those involving financial or personal requests.
The breach is under investigation and law enforcement is working to determine the hacker’s location.
Mobile phishing scams have become increasingly common in Malaysia. Local media have reported that citizens are frequently targeted by fraudsters posing as police, bank officials or court representatives.
The recent WhatsApp incident follows similar attacks on other high-ranking officials. In March, scammers hijacked the WhatsApp account of parliamentary speaker Johari Abdul and tricked some of his contacts into sending money. In 2022, threat actors accessed Telegram and Signal accounts belonging to former Prime Minister Ismail Sabri. And in 2015, hackers took over the Royal Malaysia Police’s Twitter and Facebook accounts, posting pro-Islamic State group messages.
Nasution Ismail faced online criticism and ridicule following the WhatsApp hack, with local media reporting that citizens questioned the strength of Malaysia’s cybersecurity measures, given that the country’s top security official had been successfully targeted by hackers.
Spyware maker NSO Group will have to pay more than $167 million in damages to WhatsApp for a 2019 hacking campaign against more than 1,400 users.
On Tuesday, after a five-year legal battle, a jury ruled that NSO Group must pay $167,254,000 in punitive damages and around $444,719 in compensatory damages.
This is a huge legal win for WhatsApp, which had asked for more than $400,000 in compensatory damages, based on the time its employees had to dedicate to remediate the attacks, investigate them, and push fixes to patch the vulnerability abused by NSO Group, as well as unspecified punitive damages.
WhatsApp’s spokesperson Zade Alsawah said in a statement that “our court case has made history as the first victory against illegal spyware that threatens the safety and privacy of everyone.”
Alsawah said the ruling “is an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone. Today, the jury’s decision to force NSO, a notorious foreign spyware merchant, to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and the privacy and security of the people we serve.”
NSO Group’s spokesperson Gil Lainer left the door open for an appeal.
“We will carefully examine the verdict’s details and pursue appropriate legal remedies, including further proceedings and an appeal,” Lainer said in a statement.
Dass sich Betrüger auf Kleinanzeigenplattformen als Kaufinteressenten ausgeben und vorschlagen, den Kauf über einen angeblichen Paketdienst abzuwickeln, ist eine bereits bekannte Masche. Neu setzen sie jedoch gefälschte Postquittungen ein, um glaubwürdiger zu wirken.
Betrüger suchen gezielt nach Angeboten auf Kleinanzeigenportalen und kontaktieren die Verkäufer zunächst über den Plattform-Chat, später meist via WhatsApp.
Die Cyberkriminellen geben vor, beispielsweise über die Schweizerische Post den Artikel sowie die Lieferung bereits bezahlt zu haben. Dazu schicken sie den potenziellen Opfern ein Foto einer angeblichen Postquittung mit einem QR-Code, der für den Erhalt des Geldes gescannt werden müsse.
Der QR-Code führt zu einer gefälschten Website auf der die Cyberkriminellen vorgeben, der Kaufbetrag werde auf die persönliche Kreditkarte überwiesen. So versuchen sie, an die Kreditkartendaten zu gelangen.
Two spyware variants – Moonshine and BadBazaar – are being used to target the mobile devices of persons of interest to Chinese intelligence, including individuals in the Taiwanese, Tibetan and Uyghur communities.
A bug in WhatsApp for Windows can be exploited to execute malicious code by anyone crafty enough to persuade a user to open a rigged attachment - and, to be fair, it doesn't take much craft to pull that off.
The spoofing flaw, tracked as CVE-2025-30401, affects all versions of WhatsApp Desktop for Windows prior to 2.2450.6, and stems from a bug in how the app handles file attachments.
In mid-November 2024, Microsoft Threat Intelligence observed the Russian threat actor we track as Star Blizzard sending their typical targets spear-phishing messages, this time offering the supposed opportunity to join a WhatsApp group. This is the first time we have identified a shift in Star Blizzard’s longstanding tactics, techniques, and procedures (TTPs) to leverage a […]
The precedent-setting ruling from a Northern California federal judge could lead to massive damages against NSO Group, whose notorious spyware has been reportedly used by various governments worldwide.
La centrale nucléaire de Gösgen, dans le canton de Soleure, mise sur la technologie des drones pour sa sécurité et l'inspection. Aujourd'hui, la publication involontaire d'images suscite le débat.
Documents reveal how Israel seized files, suppressed information related to WhatsApp’s lawsuit against Pegasus spyware vendor NSO
Deux jeunes Néérlandais ont fait croire à 28 parents suisses que leurs enfants se trouvaient en détresse. Le tribunal de Zurich les a condamnés mardi.
“Yahoo Boy” cybercriminals are openly running dozens of scams across Facebook, WhatsApp, Telegram, TikTok, YouTube, and more.
WhatsApp, Signal and Telegram among apps cut from iPhone app store to comply with censorship demand
À partir du 8 décembre, les membres du gouvernement devront utiliser les applications de messagerie françaises Tchap ou Olvid.
The decision is one of the most consequential issued under the E.U.’s landmark data-protection law and creates a new business headwind for the social media giant.
Someone is allegedly selling up-to-date mobile phone numbers of nearly 500 million WhatsApp users. A data sample investigated by Cybernews likely confirms this to be true.
The malicious version of YoWhatsApp messenger, containing Triada trojan, was spreading through ads in the popular Snaptube app and the Vidmate app's internal store.
