WhatsApp with these APIs?

In 2025, with the rise of AI, API security often gets overlooked. However, even among AI breaches, APIs are still the number one attack vector, and API vulnerabilities are still far too common, even among big companies with security teams, like WhatsApp.

If you have family or friends in other countries, you might have used WhatsApp to communicate with them cheaply and reliably. But what if you found out the messaging app was not as secure as you thought? 

Researchers from the University of Vienna and SBA Research recently found API flaws that allowed them to connect 3.5 billion user phone numbers with their associated accounts. They started by submitting phone numbers to the platform’s GetDeviceList API endpoint to determine which devices and accounts they corresponded to. 

They were able to do this over and over again due to a lack of rate limiting, and they found that they were able to query upwards of 100 million phone numbers per hour.

The researchers were even able to take it further and query other information using additional API endpoints, including their profile photos, “about” text, and other associated devices. They downloaded 77 million profile photos, many showing identifiable faces.

Additional data still available from the 2021 Facebook phone number breach showed that over 58% of the users whose phone numbers were exposed still used WhatsApp with these numbers. The researchers highlighted how old breached data like this could be useful to bad actors for further threat campaigns.

The problematic lack of rate limiting for WhatsApp APIs remains unsolved, leaving more user data vulnerable to scraping. Users should exercise caution when using the platform, ensure that they don’t put any personal information in their “about” sections, and consider changing the phone numbers they use on the platform.

Want to take charge of your API security? FireTail is here to help. Schedule a demo with us to see how you can get started, today.

‍