The World’s the Limit
WhatsApp, Meta’s instant messaging and Voice over IP service, was recently the focus of a research study through the University of Vienna, and its results were astounding. 3.5 billion mobile phone numbers – and the associated personal information connected to them – were compiled using the app’s lack of rate limiting to abuse contact-discovery API.
Application Programming Interface (API) is widely used for sharing information, especially on social media platforms. It’s in that hyperlinked ‘people you may know’ suggestion used almost everywhere that networking is. As a tool, it’s invaluable to those looking for their professional peers (like on LinkedIn), or expanding their social circle (like on Facebook, X, Instagram, Tumblr, etc). But it is an overlooked security gap.
The study, run from a single university server and five authenticated sessions, presumed they would be halted by the app’s security measures. They weren’t. The accounts weren’t blocked, the traffic wasn’t throttled, the IP address wasn’t restricted and perhaps most concerning, WhatsApp never attempted contact to see how and why one device was doing all this scraping. The researchers were able to collect 63 billion mobile numbers from around the globe, and then tested them against the API, which returned with their results. Aside from just generating data on which numbers are associated with WhatsApp accounts, the researchers were also able to gather data from other API endpoints, including GetUserInfo, GetPrekeys, and FetchPicture.
The research team reached out to WhatsApp themselves to report their findings, which then began the process of plugging this enormous opportunity for abuse by rate limiting API queries. As stated in the paper written about this study: “The dataset contains phone numbers, timestamps, about text, profile pictures, and public keys for E2EE encryption, and its release would entail adverse implications to the included users.” The team said this would qualify as the largest data leak in history if it hadn’t been conducted under purely empirical conditions. No kidding. 3.5 billion users is, without hyperbole, half the world. Imagine if this had been run by a threat actor using LummaStealer.
WhatsApp isn’t the only place where contact-discovery API is not adequately protected from abuse. In 2021, Facebook's ‘Add Friend’ feature was exploited to allow uploaded contact lists to check whether those numbers were on the platform. In the end, threat actors were able to create profiles for 533 million users that included their numbers, Facebook IDs, names, and more. No rate limiting was in place. Twitter suffered a similar incident in 2022, and Dell in 2024. What’s highlighted here is a need for better foundational security for information sharing since this is becoming a popular vector for cybercrime. Rate limiting will help, but doesn’t address the underlying problem in online privacy: the lack thereof.
Posted on LinkedIn, 11/24/25








