Cybersecurity experts have recently uncovered a critical vulnerability in the WhatsApp messaging platform that potentially exposed metadata belonging to more than 3.5 billion users worldwide. Meta, the parent company of WhatsApp, has acknowledged the issue and claims to have fully resolved the flaw at its root.
However, a newly published report from security researchers at the University of Vienna suggests that significant damage may have already occurred. According to these researchers, the vulnerability enabled unauthorized access to sensitive metadata, including users’ phone numbers, approximate locations, device types, operating systems, and even the age of each WhatsApp account.
In addition to this information, the flaw also permitted access to users’ contact lists, potentially leaking countless phone numbers associated with WhatsApp accounts.
Gabriel Gegenhuber, one of the lead researchers at the University of Vienna, explained that WhatsApp’s servers should normally reject excessive or repeated requests from a single source. Instead, due to this vulnerability, researchers were able to send unlimited data requests, receiving metadata that could be easily correlated and used to build detailed profiles of nearly all active WhatsApp users across more than 245 countries.
Of particular concern is the fact that the compromised metadata included information from users in countries such as China, Iran, and Myanmar, where access to certain online platforms is heavily restricted and closely monitored. This raises additional geopolitical and privacy implications.
Meanwhile, Meta’s internal security team released Advisory 2025, asserting that they have found no evidence that the vulnerability was exploited maliciously in the wild. Nevertheless, the revelation has sparked renewed debate over data security and the privacy safeguards in major global communication platforms.
Join our LinkedIn group Information Security Community!
