WhatsApp privacy risk? How researchers scraped data, profile pics from crores of Indian users | Technology News

A WhatsApp consumer can simply see if a contact is registered on the platform by saving the cellular quantity on their cellphone and checking whether or not it seems within the chat checklist. If the opposite consumer has not restricted visibility of their account settings, their profile picture and title usually present up as nicely.

Whereas the contact-discovery function could be handy for customers to find and provoke conversations with different customers, it can be abused to reap WhatsApp profile information at scale utilizing superior methods to leverage WhatsApp’s XMPP protocol, the analysis reveals.

Of the three.5 billion lively accounts they recognized globally, the researchers stated they have been in a position to scrape publicly seen profile pictures of 57 per cent of customers. In Brazil, 61 per cent of the 206 million WhatsApp-linked numbers they discovered had profile pictures uncovered – the most important share after India.

Typically, rate-limiting is taken into account to be a normal defence towards such abuse. Nonetheless, the researchers accused WhatsApp of failing to restrict the velocity or variety of contact discovery requests that they may make by interacting with WhatsApp’s browser-based app. “In our research, we have been in a position to probe over 100 million cellphone numbers per hour with out encountering blocking or efficient price limiting,” the paper learn.

To notice, the Meta-owned platform reportedly mounted the enumeration downside in October this 12 months, by enacting a stricter “rate-limiting” measure towards the mass-scale contact discovery technique utilized by the researchers. Nonetheless, the findings of the research have been first dropped at WhatsApp in April 2025, which implies that different actors might have used the identical scraping approach to reap volumes of WhatsApp profile information previously.

Importantly, the findings don’t present that WhatsApp’s end-to-end encryption has been compromised. However even the publicity of primary consumer particulars similar to cellphone quantity, About textual content, and profile picture can be utilized to create huge databases of personally identifiable data.

“Within the arms of a malicious actor, this information might be used to assemble a facial recognition–primarily based lookup service — successfully a “reverse cellphone e book” — the place people and their associated cellphone numbers and out there metadata might be queried primarily based on their face,” the analysis paper learn. “Past facial options, extra parts captured in profile photos, similar to license plates, road indicators, or recognizable landmarks, may allow extra refined profiling and leak a consumer’s identification, location, or day by day atmosphere,” it added.

Meta declined to touch upon the findings when reached by The Indian Specific.

What it means for India

India is the most important marketplace for Meta and WhatsApp, with greater than 700 million folks utilizing the platform every month, in keeping with information from Sensor Tower. The researchers’ discovery comes simply days after the notification of the Digital Private Information Safety (DPDP) guidelines to operationalise the nation’s information safety laws, which is being carried out two years after it was handed into legislation.

A consumer’s cellphone quantity or e-mail deal with is classed as digital private information below the DPDP Act, 2023, which defines ‘private information breach’ as “any unauthorised processing of private information or unintentional disclosure, acquisition, sharing, use, alteration, destruction or lack of entry to non-public information, that compromises the confidentiality, integrity or availability of private information.”

Nonetheless, the provisions of the Act don’t apply to non-public information that has been made publicly out there by customers. Which means that customers who set their profile picture as publicly seen is probably not protected below the prevailing legislation. Alternatively, WhatsApp nonetheless doesn’t provide a approach for customers to find and talk with different customers with out utilizing their cellphone numbers (though such a function is alleged to be in beta).

The way to safeguard your self

Sign, the privacy-focused different to WhatsApp, rolled out a function final 12 months that lets customers create a novel username that they will share with others as an alternative of sharing their cellphone quantity. Moreover, customers can select to cover their cellphone numbers in order that others utilizing Sign received’t be capable to see if that consumer has an account and even begin a dialog with them except they’ve their username.

However customers nonetheless want a cellphone quantity to enroll on the platform.

As for WhatsApp, customers can at present select to make their profile data accessible solely to their chosen contacts or no one. It additional reveals customers common in-app reminders to evaluate their settings and allow privateness controls.  The platform has stated it is usually implementing numerous defenses towards scrapers, together with rate-limiting and machine-learning methods to ban scrapers.

“We had already been engaged on industry-leading anti-scraping methods, and this research was instrumental in stress-testing and confirming the quick efficacy of those new defenses,” Nitin Gupta, vice chairman of engineering at WhatsApp, was quoted as saying by Wired. “We’ve discovered no proof of malicious actors abusing this vector,” he added.