WhatsApp, with 3.5 billion active accounts as of early 2025, is the world's largest instant messaging platform. Given its massive user base, WhatsApp plays a critical role in global communication. To initiate conversations, users must first discover whether their contacts are registered on the platform. This is achieved by querying WhatsApp's servers with mobile phone numbers extracted from the user's address book (if they allowed access). This architecture inherently enables phone number enumeration, as the service must allow legitimate users to query contact availability. While rate limiting is a standard defense against abuse, we revisit the problem and show that WhatsApp remains highly vulnerable to enumeration at scale. In our study, we were able to probe over a hundred million phone numbers per hour without encountering blocking or effective rate limiting. Our findings demonstrate not only the persistence but the severity of this vulnerability. We further show that nearly half of the phone numbers disclosed in the 2021 Facebook data leak are still active on WhatsApp, underlining the enduring risks associated with such exposures. Moreover, we were able to perform a census of WhatsApp users, providing a glimpse on the macroscopic insights a large messaging service is able to generate even though the messages themselves are end-to-end encrypted. Using the gathered data, we also discovered the re-use of certain X25519 keys across different devices and phone numbers, indicating either insecure (custom) implementations, or fraudulent activity. In this updated version of the paper, we also provide insights into the collaborative remediation process through which we confirmed that the underlying rate-limiting issue had been resolved.

翻译：截至2025年初，WhatsApp拥有35亿活跃账户，是全球最大的即时通讯平台。鉴于其庞大的用户基数，WhatsApp在全球通信中扮演着关键角色。用户发起对话前，必须先确认其联系人是否在该平台注册。这一过程通过向WhatsApp服务器查询从用户通讯录（若已授权访问）提取的手机号码来实现。该架构本质上支持电话号码枚举，因为服务必须允许合法用户查询联系人可用性。虽然速率限制是防止滥用的标准防御手段，但我们重新审视了该问题，并证明WhatsApp在大规模枚举攻击面前仍高度脆弱。在本研究中，我们每小时能探测超过一亿个电话号码，且未遭遇阻断或有效的速率限制。我们的发现不仅证实了该漏洞的持续存在，更揭示了其严重性。我们进一步指出，2021年Facebook数据泄露事件中近半数的电话号码仍在WhatsApp上活跃，凸显了此类信息暴露带来的持久风险。此外，我们成功实施了WhatsApp用户普查，揭示了即使消息本身采用端到端加密，大型通讯服务仍能生成宏观洞察。利用收集的数据，我们还发现某些X25519密钥在不同设备和电话号码间重复使用，这表明存在不安全的（定制）实现或欺诈活动。在本文的更新版本中，我们还通过协作修复流程确认了底层速率限制问题已得到解决，并提供了相关分析。