Related papers: Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy

Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy

URL: http://arxiv.org/abs/2511.20252v1
Date: Tue, 25 Nov 2025 12:27:05 GMT
Title: Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy
Authors: Gabriel K. Gegenhuber, Philipp É. Frenzel, Maximilian Günther, Johanna Ullrich, Aljosha Judmayer,
Abstract summary: We show that WhatsApp remains highly vulnerable to enumeration at scale.<n>We probed over a hundred million phone numbers per hour without encountering blocking or effective rate limiting.<n>We also show that nearly half of the phone numbers disclosed in the 2021 Facebook data leak are still active on WhatsApp.
Score: 1.4190701053683015
License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
Abstract: WhatsApp, with 3.5 billion active accounts as of early 2025, is the world's largest instant messaging platform. Given its massive user base, WhatsApp plays a critical role in global communication. To initiate conversations, users must first discover whether their contacts are registered on the platform. This is achieved by querying WhatsApp's servers with mobile phone numbers extracted from the user's address book (if they allowed access). This architecture inherently enables phone number enumeration, as the service must allow legitimate users to query contact availability. While rate limiting is a standard defense against abuse, we revisit the problem and show that WhatsApp remains highly vulnerable to enumeration at scale. In our study, we were able to probe over a hundred million phone numbers per hour without encountering blocking or effective rate limiting. Our findings demonstrate not only the persistence but the severity of this vulnerability. We further show that nearly half of the phone numbers disclosed in the 2021 Facebook data leak are still active on WhatsApp, underlining the enduring risks associated with such exposures. Moreover, we were able to perform a census of WhatsApp users, providing a glimpse on the macroscopic insights a large messaging service is able to generate even though the messages themselves are end-to-end encrypted. Using the gathered data, we also discovered the re-use of certain X25519 keys across different devices and phone numbers, indicating either insecure (custom) implementations, or fraudulent activity. In this updated version of the paper, we also provide insights into the collaborative remediation process through which we confirmed that the underlying rate-limiting issue had been resolved.

Related papers

Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers [1.6857161116805999]
This paper highlights that delivery receipts can pose significant privacy risks to users.<n>We use specifically crafted messages that trigger delivery receipts allowing any user to be pinged without their knowledge or consent.<n>We argue for a design change to address this issue.
arXiv Detail & Related papers (2024-11-17T22:58:28Z)
The Medium is the Message: How Secure Messaging Apps Leak Sensitive Data to Push Notification Services [9.547428690220618]
This study investigated secure messaging apps' usage of Google's Cloud Messaging (FCM) service to send push notifications to Android devices. We analyzed 21 popular secure messaging apps from the Google Play Store to determine what personal information these apps leak in the payload of push notifications sent via FCM. None of the data we observed being leaked to FCM was specifically disclosed in those apps' privacy disclosures.
arXiv Detail & Related papers (2024-07-15T10:13:30Z)
WildChat: 1M ChatGPT Interaction Logs in the Wild [88.05964311416717]
WildChat is a corpus of 1 million user-ChatGPT conversations, which consists of over 2.5 million interaction turns. In addition to timestamped chat transcripts, we enrich the dataset with demographic data, including state, country, and hashed IP addresses.
arXiv Detail & Related papers (2024-05-02T17:00:02Z)
Analysis of Longitudinal Changes in Privacy Behavior of Android Applications [79.71330613821037]
In this paper, we examine the trends in how Android apps have changed over time with respect to privacy. We examine the adoption of HTTPS, whether apps scan the device for other installed apps, the use of permissions for privacy-sensitive data, and the use of unique identifiers. We find that privacy-related behavior has improved with time as apps continue to receive updates, and that the third-party libraries used by apps are responsible for more issues with privacy.
arXiv Detail & Related papers (2021-12-28T16:21:31Z)
Uncovering the Dark Side of Telegram: Fakes, Clones, Scams, and Conspiracy Movements [56.49045238318727]
We perform a large-scale analysis of Telegram by collecting 35,382 different channels and over 130,000,000 messages.<n>We find some of the infamous activities also present on privacy-preserving services of the Dark Web, such as carding.<n>We propose a machine learning model that is able to identify fake channels with an accuracy of 86%.
arXiv Detail & Related papers (2021-11-26T14:53:31Z)
Tiplines to Combat Misinformation on Encrypted Platforms: A Case Study of the 2019 Indian Election on WhatsApp [5.342552155591148]
We analyze the usefulness of a crowd-sourced system on WhatsApp through which users can submit "tips" containing messages they want fact-checked. We compare the tips sent to a WhatsApp tipline run during the 2019 Indian national elections with the messages circulating in large, public groups on WhatsApp. We find that tiplines are a very useful lens into WhatsApp conversations.
arXiv Detail & Related papers (2021-06-08T23:08:47Z)
Jettisoning Junk Messaging in the Era of End-to-End Encryption: A Case Study of WhatsApp [8.463390032361591]
We study junk messaging on a multilingual dataset of 2.6M messages sent to 5K public WhatsApp groups in India. We find that nearly 1 in 10 messages is unwanted content sent by junk senders.
arXiv Detail & Related papers (2021-06-08T15:52:46Z)
Emerging App Issue Identification via Online Joint Sentiment-Topic Tracing [66.57888248681303]
We propose a novel emerging issue detection approach named MERIT. Based on the AOBST model, we infer the topics negatively reflected in user reviews for one app version. Experiments on popular apps from Google Play and Apple's App Store demonstrate the effectiveness of MERIT.
arXiv Detail & Related papers (2020-08-23T06:34:05Z)
Mind the GAP: Security & Privacy Risks of Contact Tracing Apps [75.7995398006171]
Google and Apple have jointly provided an API for exposure notification in order to implement decentralized contract tracing apps using Bluetooth Low Energy. We demonstrate that in real-world scenarios the GAP design is vulnerable to (i) profiling and possibly de-anonymizing persons, and (ii) relay-based wormhole attacks that basically can generate fake contacts.
arXiv Detail & Related papers (2020-06-10T16:05:05Z)
Can WhatsApp Benefit from Debunked Fact-Checked Stories to Reduce Misinformation? [3.116035935327534]
We observe that misinformation has been largely shared on WhatsApp public groups even after they were already fact-checked by popular fact-checking agencies. This represents a significant portion of misinformation spread in both Brazil and India in the groups analyzed. We propose an architecture that could be implemented by WhatsApp to counter such misinformation.
arXiv Detail & Related papers (2020-06-03T18:28:57Z)
Decentralized Privacy-Preserving Proximity Tracing [50.27258414960402]
DP3T provides a technological foundation to help slow the spread of SARS-CoV-2. System aims to minimise privacy and security risks for individuals and communities.
arXiv Detail & Related papers (2020-05-25T12:32:02Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.