WhatsApp API flaw — massive data scraping exposed

Ethan Cole
Ethan Cole I’m Ethan Cole, a digital journalist based in New York. I write about how technology shapes culture and everyday life — from AI and machine learning to cloud services, cybersecurity, hardware, mobile apps, software, and Web3. I’ve been working in tech media for over 7 years, covering everything from big industry news to indie app launches. I enjoy making complex topics easy to understand and showing how new tools actually matter in the real world. Outside of work, I’m a big fan of gaming, coffee, and sci-fi books. You’ll often find me testing a new mobile app, playing the latest indie game, or exploring AI tools for creativity.
4 min read 75 views
WhatsApp API flaw — massive data scraping exposed

A major WhatsApp API flaw has revealed how easily attackers could collect enormous amounts of user data. Researchers from the University of Vienna and SBA Research demonstrated that WhatsApp’s contact-discovery API lacked basic rate-limiting protections. Because of that oversight, they managed to compile personal details tied to 3.5 billion phone numbers. Their findings highlight how fragile user privacy becomes when widely used apps expose powerful APIs without proper safeguards.

How the WhatsApp API flaw enabled large-scale scraping

WhatsApp’s “contact discovery” feature helps users check whether a phone number is linked to an account. The app uses an endpoint called GetDeviceList. Normally, this tool verifies a single contact. However, without strict limits, attackers can repurpose it to check millions of numbers automatically.

The research team tried exactly that. First, they sent rapid, high-volume requests from a single university server using only five authenticated sessions. They expected WhatsApp to throttle their traffic. Instead, the system accepted every request. It never flagged their behavior, restricted their accounts, or blocked the server’s IP address. Because nothing slowed the process down, the team escalated their test and generated 63 billion possible phone numbers worldwide. Then they ran every one of them through the API.

This enormous sweep revealed 3.5 billion active WhatsApp accounts, making it one of the largest potential data exposures ever documented—despite being conducted ethically.

What data the researchers extracted from the WhatsApp API

Because the WhatsApp API flaw affected more than just one endpoint, the researchers also used several additional APIs. They queried:

  • GetUserInfo
  • FetchPicture
  • GetPrekeys

As a result, they gathered profile photos, “about” sections, device information and metadata linked to each phone number. When they tested US numbers alone, they downloaded 77 million profile photos without any restriction. Many images included identifiable people. Public “about” messages also exposed personal details, links to other accounts and hints about daily routines.

Their findings showed that users in countries with active bans still accessed WhatsApp through workarounds. For example:

  • India: 749M
  • Indonesia: 235M
  • Brazil: 206M
  • United States: 138M
  • Russia: 133M
  • Mexico: 128M

Even in China, Iran, North Korea and Myanmar, millions of users appeared active. Iran saw continued growth after lifting its WhatsApp ban in December 2024.

Why WhatsApp data scraping remains dangerous years later

The researchers compared their dataset with the 2021 Facebook phone-number leak. Over 58% of those numbers still matched active WhatsApp accounts in 2025. This overlap shows why phone-number-based leaks are so damaging. A number rarely changes, so it remains useful for attackers long after the original breach.

The study made one thing clear: even though researchers did not release the dataset, threat actors could easily exploit the same API weaknesses and build an enormous database of identities, photos and metadata.

Why weak API safeguards create massive exposure risks

This WhatsApp API flaw reflects a broader industry problem. Many tech companies expose convenience-focused APIs without considering how they can be misused. Without rate limits, an app that checks one contact becomes a tool that checks millions.

Other major platforms have faced similar failures:

  • Facebook (533M scraped): attackers abused the “Add Friend” contact-upload API
  • Twitter (54M scraped): a flaw linked emails and numbers to accounts
  • Dell (49M scraped): exposed customer records through an unprotected endpoint

In each case, the issue wasn’t a hack—it was an API designed without proper restrictions.

WhatsApp’s response to the API flaw

After receiving the report, WhatsApp implemented new rate-limiting controls to prevent similar scraping attempts. While these fixes improve protection going forward, they also highlight a larger problem: billions of users rely on platforms that often assume APIs will be used responsibly, even though experience shows otherwise.

Why this flaw matters for global privacy

APIs sit at the core of modern communication apps. When developers fail to enforce strict limits, malicious actors gain a powerful tool for collecting personal data. Phone numbers tie directly to identity, and once they leak, users cannot easily replace them. That permanence makes large-scale scraping especially dangerous.

This incident serves as a warning. As more platforms depend on APIs, strong rate limiting and monitoring must become standard—not optional.

Conclusion

The WhatsApp API flaw uncovered by researchers demonstrates how a simple oversight can expose billions of users. Although WhatsApp has since added protections, the incident proves that large-scale scraping remains an ongoing threat. As more apps rely on APIs, companies must prioritize security, enforce strict rate limits and recognize that convenience features can quickly turn into global privacy risks.

Read also

Join the discussion in our Facebook community.

Share this article: