Many WhatsApp users find that locating someone on the platform is relatively easy with just their phone number, and there seems to be no limit to how often one can search. However, this has become a notable security loophole that exposes 3.5 billion users of the messaging app, which attackers could exploit, as revealed in a new report.

Major WhatsApp Security Risk

The vulnerability was discovered by security researchers at the University of Vienna in Austria through a study conducted between December 2024 and April 2025. The issue mainly stems from the built-in WhatsApp feature for finding and adding contacts, which has been available for many years.

Technically, you add a number and then look it up in the app, and it will show whether the number has an account. Anyone with the active number can also check the profile and send messages to public accounts.

The group carried out this process using a tool called “libphonegen,” which generates combinations of account numbers across different countries that are potentially registered on WhatsApp.

Share of Android and iOS users in the study, and the percentage of exposed profiles.

In their study, they managed to generate 100 million numbers per hour, with a total of 63 billion combinations and potential accounts. From those, 3.5 billion accounts were extracted. Of these, 57% had their profile photos revealed, while 29% had text profiles exposed, which included sensitive details such as religious and political affiliations and links to other social media accounts.

Why This WhatsApp Vulnerability Is Alarming

The findings highlight how malicious actors, such as fraudsters and attackers, could exploit this security flaw in WhatsApp. For instance, public keys and identity keys can be reused instead of being unique, which weakens the encryption in the messaging app. With compromised security, attackers could intercept and decrypt messages.

This same vulnerability in WhatsApp was flagged in 2017, but Meta has not been able to patch or address the loophole.

The security research group contacted Meta after the findings, and the company confirmed that it rolled out system updates in October that limit the number of account searches that can be performed in the app.

Enable This Feature for Stronger Privacy Protection

However, users with public profiles are still exposed, as their profile texts and photos remain viewable by others. Anyone concerned about privacy and security when using WhatsApp is encouraged to make their profile private for added protection.

Meta has also introduced new privacy and security features recently. A couple of these, currently in testing, are automatically muting calls and messages from strangers and a monthly message cap.

Are you aware of this critical WhatsApp flaw? Which safeguards do you apply to keep your account or profile secure? We want to hear your suggestions.

We mark partner links with this symbol. If you click on one of these links or buttons–or make a purchase through them–we may receive a small commission from the retailer. This doesn’t affect the price you pay, but it helps us keep nextpit free for everyone. Thanks for your support!