A security vulnerability was discovered within WhatsApp’s Events feature that exposed the full phone numbers of users to other members of their groups. The flaw, identified by researcher Louis Barclay, occurred when a user responded to an event invitation within a group chat. This action made their phone number visible in the HTML code of the WhatsApp web client for all other group participants to see.

The exposure happened regardless of a user’s privacy settings. Even individuals who had configured their accounts to hide their phone number from others were affected by this bug. The researcher described the issue as a “pretty trivial bug” that bypassed intended privacy controls. A similar flaw was also found in the WhatsApp Channels feature.

Details of the Phone Number Exposure

When a WhatsApp user RSVP’d to an event, their full, unmasked phone number was embedded in the web page’s source code. Any other member of that same group using the web version of WhatsApp could inspect the page’s code to find the number. This bug directly contradicted WhatsApp’s privacy settings that allow users to control who can see their phone number.

The discovery was made by Barclay, who also identified a related, though less severe, vulnerability in the Signal messaging app’s group feature. Both companies were notified of the security issues.

Vulnerability Patched by Meta

After being notified of the vulnerability by the researcher, Meta, the parent company of WhatsApp, addressed the issue. A spokesperson for WhatsApp confirmed that the company had implemented a fix. The repair was deployed as a server-side update, meaning users did not need to manually update their application to be protected from the flaw. Signal also patched the similar vulnerability that was reported in its platform.