WhatsApp API flaw let researchers scrape millions of Bangladeshi accounts – InfoSecBulletin

WhatsApp API flaw let researchers scrape millions of Bangladeshi accounts – InfoSecBulletin

Researchers gathered 3.5 billion WhatsApp phone numbers and personal information by abusing a contact-discovery API without proper rate limiting.

This study shows a common tactic used by threat actors to collect user information from unprotected public APIs, even though the researchers haven’t shared the data.

Abusing WhatsApp API:

The researchers from the University of Vienna and SBA Research used WhatsApp’s contact-discovery feature, which lets you submit a phone number to the platform’s GetDeviceList API endpoint to determine whether a phone number is associated with an account and what devices were used.

Without strict rate limiting, APIs can be misused for extensive enumeration on a platform.Researchers discovered that WhatsApp could handle a high volume of queries, processing over 100 million numbers per hour directly to its servers.

They conducted the operation from one university server with only five sessions, expecting WhatsApp to catch them. However, WhatsApp never blocked their accounts, throttled their traffic, restricted their IP, or contacted them despite the abuse from one device.

Researchers created a global list of 63 billion possible mobile numbers and tested them using the API, finding 3.5 billion active WhatsApp accounts including Bangladesh.

Millions of active accounts were found in countries where WhatsApp was banned, such as China, Iran, North Korea, and Myanmar. In Iran, usage increased after the ban was lifted in December 2024.

Researchers confirmed if a phone number was on WhatsApp and gathered more user info using other API endpoints like GetUserInfo, GetPrekeys, and FetchPicture.

Using these additional APIs, the researchers were able to collect profile photos, “about” text, and information about other devices associated with a WhatsApp phone number.

A test of US numbers downloaded 77 million profile photos without any rate limiting, with many showing identifiable faces. If public “about” text was available, it also revealed personal details and links to other social accounts.

Researchers discovered that 58% of Facebook numbers leaked in 2021 were still active on WhatsApp in 2025. They noted that large-scale phone number leaks pose long-term risks as they can facilitate harmful activities for years.

“With 3.5 B records (i.e., active accounts), we analyze a dataset that would, to our knowledge, classify as the largest data leak in history, had it not been collated as part of a responsibly conducted research study,” explains the “Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy” paper.

“The dataset contains phone numbers, timestamps, about text, profile pictures, and public keys for E2EE encryption, and its release would entail adverse implications to the included users.”

The team reported the issue to WhatsApp, and the company has since added rate-limiting protections to prevent similar abuse.

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.