/thetatva/media/agency_attachments/2024-10-11t075417641z-tatva-logo-white-yashodhar-gulati-crop.png){kind=logo}
/thetatva/media/agency_attachments/2024-10-11t075412214z-tatva-logo-white-yashodhar-gulati-crop.png){kind=logo}
/thetatva/media/media_files/2025/06/26/whatsapp-2025-06-26-13-11-45.webp)
A team of computer scientists from the University of Vienna has discovered a serious privacy issue in WhatsApp. They found a way to collect phone numbers linked to 3.5 billion WhatsApp accounts worldwide by misusing the app’s contact discovery feature. Using the same method, they were also able to download around 57% of all profile pictures that were publicly visible.
Out of all the active accounts, nearly 750 million users were from India. The researchers found that 62% of Indian WhatsApp users had their profile picture visible to “Everyone,” making them easy targets for this type of data scraping. The team also managed to collect other information such as a user’s “About” status, whether a companion device was connected, and details about business accounts.
How the method works
The researchers took advantage of WhatsApp’s contact discovery system. Normally, when you save someone’s phone number in your contacts, WhatsApp checks if the number is registered on the platform. If the number is on WhatsApp, it shows the person’s name and profile picture, ;..if the picture is set to public.
The researchers used automated tools combined with WhatsApp's XMPP (Extensible Messaging and Presence Protocol) endpoints to mimic this behavior on a massive scale. By generating millions of phone numbers and pretending they were contacts, they extracted profile details from all the accounts linked to those numbers.
Why this is dangerous
This discovery is alarming because it shows major weaknesses in WhatsApp’s rate-limiting system, the feature that is supposed to prevent people from sending too many requests too quickly. Since the system failed to stop mass scraping, it means anyone with technical knowledge could create large databases of phone numbers, profile pictures, and other personal information.
Even though WhatsApp’s end-to-end encryption was not broken, the design flaw allowed researchers to gather sensitive data. Many users believe their profile picture is visible only to contacts, but if the privacy setting is “Everyone,” then anyone can access it and store it. Profile pictures can reveal more than just a face, backgrounds may show car number plates, streets, workplace buildings, or other clues that help identify a person’s lifestyle and location.
In India, a phone number is considered personal data under the Digital Personal Data Protection (DPDP) Act, 2023. However, the act does not protect information that users themselves make publicly visible. This means that if someone sets their photo or details to “Everyone,” the data can be collected legally without breaking the privacy law.