The flaw wasn't hidden in complex code—it lived in the simplest feature of all.
En las profundidades de una función diseñada para conectar personas, investigadores austriacos hallaron una puerta abierta hacia los datos de 3.500 millones de usuarios de WhatsApp. Sin necesidad de sofisticación técnica, bastó con explotar la ausencia de límites en una herramienta cotidiana para revelar que incluso las plataformas construidas sobre la promesa de la privacidad pueden ser vulnerables en sus cimientos más simples. El hallazgo, comunicado responsablemente a Meta antes de su divulgación, recuerda que la seguridad digital no es un destino, sino una vigilancia constante.
- Una función tan ordinaria como buscar contactos se convirtió en la llave para consultar más de 100 millones de números de teléfono por hora sin ningún freno del sistema.
- La brecha no solo exponía números: fotografías de perfil, claves de cifrado, país de origen y sistema operativo quedaban al descubierto para cada usuario confirmado.
- El resultado fue una base de datos completa de 3.500 millones de personas, revelando incluso que millones de usuarios operan desde países donde WhatsApp está oficialmente prohibido.
- La paradoja golpea con fuerza: una plataforma que ha resistido presiones gubernamentales para debilitar su cifrado fue comprometida por la mecánica más básica de su propio diseño.
- La divulgación responsable dio a Meta tiempo para actuar, pero el incidente deja abierta la pregunta sobre cuántas puertas similares permanecen sin examinar en otros servicios.
Investigadores de la Universidad de Viena y SBA Research han revelado un método para extraer los números de teléfono de prácticamente todos los usuarios activos de WhatsApp, unos 3.500 millones de personas. Lo más llamativo no fue la complejidad del ataque, sino su desconcertante sencillez.
WhatsApp ofrece una función básica que permite encontrar contactos subiendo una lista de números telefónicos para verificar cuáles están registrados en la plataforma. Los investigadores descubrieron que este sistema carecía de límites de consulta, lo que permitía verificar más de 100 millones de números por hora. Generando combinaciones sistemáticas de números posibles, construyeron una base de datos masiva que incluía, además del número confirmado, la foto de perfil pública, el país, el sistema operativo y la clave de cifrado única de cada cuenta.
El análisis de esos datos arrojó hallazgos reveladores: millones de usuarios se encuentran en países donde la aplicación está oficialmente prohibida, como China e Irán, y el 81 por ciento del total utiliza dispositivos Android frente al 19 por ciento con iOS.
La ironía es difícil de ignorar. WhatsApp ha construido su identidad de marca sobre la privacidad y ha defendido el cifrado extremo a extremo incluso bajo presión institucional. Sin embargo, una característica de conveniencia, pensada para facilitar la vida al usuario, abrió la puerta a una enumeración masiva. Los investigadores notificaron a Meta antes de hacer públicos sus hallazgos, permitiendo que la empresa tomara medidas. El episodio deja una lección duradera: en el diseño de plataformas, la comodidad y la seguridad deben negociarse con igual cuidado, porque las vulnerabilidades más peligrosas a veces se esconden en las funciones más familiares.
Researchers at the University of Vienna and SBA Research have disclosed a method for extracting the phone numbers of 3.5 billion WhatsApp users—essentially the entire active user base of the platform. What makes the discovery particularly striking is not the sophistication of the attack, but its simplicity.
WhatsApp, like most messaging apps, includes a basic feature that lets users find friends by uploading their phone contacts. The app checks those numbers against its database and surfaces matches. This is a convenience function, designed to help people connect with people they already know. The researchers found that this feature had no built-in safeguards. There were no rate limits. Nothing stopped someone from querying the system with millions of phone numbers in rapid succession. In fact, they determined it was possible to check more than 100 million numbers per hour.
The attack required no exotic exploit or deep knowledge of WhatsApp's code. The researchers simply created a list of possible phone numbers—essentially cycling through every plausible combination—and asked WhatsApp to verify which ones belonged to active users. When a number was confirmed as valid, the system revealed additional information about that account: the user's profile picture (if public), their country, their operating system, and the unique encryption key needed to send them messages.
Using this approach, the researchers built a comprehensive database of 3.5 billion WhatsApp users complete with metadata. The resulting dataset yielded some unexpected findings. Millions of WhatsApp users are located in countries where the app is officially banned, including China and Iran. Among the user base, 81 percent use Android devices, while 19 percent use iOS. These are not trivial details—they paint a picture of the platform's actual global footprint, including its presence in places where it is supposed to be inaccessible.
The vulnerability is particularly notable because WhatsApp has long positioned itself as a privacy-focused platform. Meta, which owns WhatsApp, maintains end-to-end encryption across all messages and has resisted pressure to weaken that protection even when it might increase advertising revenue. The company has made security a cornerstone of its brand identity. Yet this flaw demonstrates that strong encryption alone does not guarantee privacy. A fundamental feature—one designed to make the app more useful—created an opening for mass enumeration of users and their associated data.
The researchers followed responsible disclosure practices, alerting Meta to the vulnerability before making their findings public. This gave the company time to implement fixes and prevented malicious actors from exploiting the flaw at scale. The incident underscores a recurring tension in platform design: the features that make an app convenient and user-friendly can also create security risks if not carefully constrained. Even in a system built around privacy, the basic mechanics of how users find each other can become a vector for exposure.
Citações Notáveis
The researchers were responsible and notified Meta before public disclosure to prevent malicious exploitation— El Español reporting on researcher conduct
A Conversa do Hearth Outra perspectiva sobre a história
So the researchers didn't need to hack anything? They just... asked WhatsApp to check numbers?
Exactly. They used the contact-matching feature the way it was designed to work. The flaw wasn't in the encryption or some hidden backdoor. It was that the system had no throttle.
And WhatsApp didn't see this coming?
The feature itself is useful—people want to find friends easily. But the researchers showed that usefulness and security can pull in opposite directions. No one had apparently thought to ask: what if someone checked a billion numbers instead of a hundred?
What could someone actually do with 3.5 billion phone numbers and encryption keys?
The encryption keys let you send messages to those accounts. The phone numbers themselves are valuable for targeted harassment, phishing, or building profiles. Combined with the country and OS data, you have a map of the global user base.
Did Meta know this was possible?
There's no evidence they did. But that's part of the point—sometimes the biggest risks hide in plain sight, in features so basic we stop thinking about them.
What happens now?
Meta will likely add rate limits and other checks to the contact-matching system. But the researchers have already shown the principle works. The real question is whether other platforms have the same blind spot.