Meta/WhatsApp

Security researchers from the University of Vienna and SBA Research exploited weak rate limits in WhatsApp’s GetDeviceList and related APIs to enumerate 3.5 billion active accounts and download profile photos, ‘about’ text, device info and public keys, they told BleepingComputer and Fox News. Using five authenticated sessions on a single university server, they queried over 100 million phone numbers per hour and pulled 77 million U.S. profile images; WhatsApp has since added rate limiting after the issue was disclosed, and the researchers did not release the data.