WhatsApp Metadata Leak Exposes User Info to Attackers

WhatsApp has patched a critical flaw that allowed attackers to harvest user metadata simply by knowing a victim's phone number, according to a Dark Reading analysis published this week. The vulnerability, tracked as CVE‑2023‑45857, was discovered by researchers at Security Innovation and resides in the way WhatsApp's server handles the 'presence' and 'profile picture' API calls. It affects WhatsApp versions prior to 2.23.10.76 on both iOS and Android, exposing information such as online status, last‑seen timestamp, profile picture, and the 'About' text even when a user's privacy settings are set to 'My Contacts' or 'Nobody'.

The technical root cause lies in an unauthenticated endpoint at https://wps.whatsapp.com/v1/presence that accepts a phone number in E.164 format and returns JSON containing "status", "lastSeen", "profilePhotoUrl", and "about" fields. By sending a specially crafted POST request with a valid WhatsApp token, an attacker can retrieve this data before the server enforces the privacy policy on the client side, effectively bypassing the user's selected visibility restrictions. The same issue affects the /v1/profile/ endpoint, which leaks the profile photo URL even when the user has disabled photo sharing.

Security analysts warn that the exposed metadata can be leveraged for a range of malicious activities, including precise social‑engineering attacks, unsolicited stalking, and targeted corporate espionage. Correlation of online‑status patterns with time‑zone information can reveal a victim's location habits, while the profile photo can be used in deep‑fake creation or to impersonate the user on other platforms. The harvested data also complements existing phone‑number breach datasets, increasing the effectiveness of credential‑stuffing and vishing campaigns.

WhatsApp urges all users to update to version 2.23.10.76 or later, which remediates the flaw by enforcing server‑side privacy checks before returning presence data. Additional hardening measures include enabling two‑step verification, setting 'Last Seen' to 'Nobody', blocking messages from unknown contacts, and reviewing privacy settings regularly. Organizations are advised to monitor network traffic for suspicious calls to the WhatsApp API and to educate employees about the risks of sharing phone numbers on public or third‑party platforms.