The researchers from the University of Vienna and SBA Research used WhatsApp’s contact-discovery feature, which lets you submit a phone number to the platform’s GetDeviceList API endpoint to determine whether a phone number is associated with an account and what devices were used.

Without strict rate limiting, APIs like this can be abused to perform large-scale enumeration across a platform.

The researchers found this to be the case with WhatsApp, as they were able to send a high volume of queries directly to WhatsApp’s servers, checking more than 100 million numbers per hour.

They ran the entire operation from a single university server using just five authenticated sessions, initially expecting to get caught by WhatsApp. However, the platform never blocked the accounts, never throttled their traffic, never restricted their IP address, and never reached out despite all the abusive activity coming from one device.

The researchers then generated a global set of 63 billion potential mobile numbers and tested all of them against the API. Their queries returned 3.5 billion active WhatsApp accounts.