430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Researchers devised a new enumeration technique that exposed 3.5B WhatsApp profiles

Researchers disclosed a WhatsApp flaw that exposed 3.5B accounts. Meta has patched it to prevent this mass enumeration. A team of researchers at the University of Vienna found a WhatsApp flaw that could scrape 3.5 billion accounts. Meta has since patched the vulnerability to block this enumeration technique. Users discover contacts by querying WhatsApp servers […]

whatsapp NSO

Researchers disclosed a WhatsApp flaw that exposed 3.5B accounts. Meta has patched it to prevent this mass enumeration.

A team of researchers at the University of Vienna found a WhatsApp flaw that could scrape 3.5 billion accounts. Meta has since patched the vulnerability to block this enumeration technique.

Users discover contacts by querying WhatsApp servers with phone numbers, allowing phone number enumeration. Despite standard rate limiting, researchers probed over 100 million numbers per hour without being blocked, revealing the platform’s vulnerability at scale. They discovered that nearly half of the numbers leaked in the 2021 Facebook breach remain active on WhatsApp.

“This architecture inherently enables phone number enumeration, as the service must allow legitimate users to query contact availability. While rate limiting is a standard defense against abuse, we revisit the problem and show that WhatsApp remains highly vulnerable to enumeration at scale.” reads the report published by the researchers. “In our study, we were able to probe over a hundred million phone numbers per hour without encountering blocking or effective rate limiting.”

Researchers developed a method to generate plausible mobile numbers for 245 countries, narrowing global candidates to 63 B. They analyzed 3.5 B WhatsApp accounts, including phone numbers, timestamps, profile pictures, about texts, and E2EE public keys, creating one of the largest datasets studied ethically. Comparing it to the 2021 Facebook scraping, composed of 500 M entries, half remain active, showing long-term impact. The team performed a population census, revealing account activity, device types, OS shares, and profile usage, highlighting the platform’s data visibility despite E2EE. They identified active accounts in banned regions (China, Myanmar, North Korea, Iran), showing bans’ ineffectiveness. The analysis of X25519 keys revealed extensive reuse and repeated one-time prekeys across devices, indicating insecure implementations or potential fraud. Some US numbers even used an all-zero private key, suggesting broken RNGs or non-standard software.

Meta attempted to downplay the problem, saying that no messages, contacts, or private data were exposed, and profile photos or “about” texts were visible only if users set them to “everyone.” The researchers reported the issue gradually across 2024–2025, but Meta said full technical details arrived only in August 2025. Mitigations began in early September, with further protections added in October.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Meta)