WhatsApp's contact detection feature, which allows users to know if any phone number is registered on the platform, has turned into a backdoor that enabled researchers from the Austrian University of Vienna to collect the numbers of 3.5 billion users around the world, along with their profile pictures and metatexts in a large number of cases, a new research study shows.

The researchers explained that they simply relied on trying every possible number via the desktop version of WhatsApp, without facing any limitations limiting the number or speed of attempts. The team was able to examine about 100 million numbers per hour, enabling them to compile a massive database that they described as the largest exposure of user data in history if not in the context of a responsible research study.

Aliusha Goodmeyer, one of the researchers involved in the study, said their findings were the largest documented process to date to uncover phone numbers and user data associated with them.

Personal data exposed for years

According to the study, the team was able to extract profile photos of 57% of the users surveyed, in addition to the metatexts (found in the About section) for 29% of them. The researchers confirmed that they notified Meta of the vulnerability last April, and that in October the company implemented a mechanism to prevent mass duplication of searches.

But before the reform, anyone could use the same method to collect data from users from different countries, including those who rely on WhatsApp when it is banned in their own countries: for example, researchers found 2.3 million numbers in China and 1.6 million in Myanmar, which could allow government agencies there to track people who use the app illegally.

Meta: Encryption messages untouched

In a statement to WIRED magazine, Meta thanked the researchers for the report, and confirmed that the data that emerged is essential public information because profile images and metatexts are only visible if the user makes them viewable.