A group of computer scientists at the University of Vienna have managed to scrape all the contact numbers linked to the 3.5 bn WhatsApp accounts, and at least 57 per cent of the publicly available profile pictures by abusing WhatsApp's contact discovery feature. Among the active users, nearly 750 mn were from India, and 62 per cent of Indian users had a visible profile picture. They also manage to salvage the about text, companion-device usage, business account information, and more.

The Method Used

They exploited the contact discovery algorithm of WhatsApp. For instance, you save a phone number on your phone, and when your WhatsApp has access to your phone book, WhatsApp shows if the number is available on WhatsApp, pulls out the profile picture too if it is publicly visible, using advanced techniques leveraging the platform’s XMPP endpoints.

Why is this alarming?

The sheer scale of profile data that was extracted by the researcher shows the ineffective nature of the rate-limiting that WhatsApp has claimed to implement. This also reflects that a large amount of profile data is exposed to scraping and profiling by malicious entities. Eventhough the flow didn't involve breaking WhatsApp's end-to-end encryption, but exposed a design flow that users who believe that their contact details and profile picture are visible to only the contact list can be exploited if it is set to everybody, and can be used to create vast databases of personally identifiable information like a ‘reverse phone-book’, “Beyond facial features, additional elements captured in profile pictures, such as license plates, street signs, or recognizable landmarks, could enable more sophisticated profiling and leak a user’s identity, location, or daily environment.” read the research paper. In India user's phone number or email address is classified as personal data, under the DPDP Act 2023; however, the provisions of the act do not apply to the personal data that has been publicly made available by the user.