WhatsApp Android Contact Gating Bypass

The WhatsApp Android Contact Gating Bypass was a privacy vulnerability The WhatsApp Android Contact Gating Bypass was a privacy vulnerability that allowed an attacker to circumvent WhatsApp's mechanism designed to protect user privacy from unknown numbers.

Normally, users cannot view profile details (like picture or "About" status) or initiate chats with numbers not saved in their contacts. This "contact gating" prevents unsolicited access to personal information.

However, a specially crafted "click-to-chat" link (wa.me) could exploit how WhatsApp handled certain URI schemes (e.g., `content://`). This tricked the app into treating the unknown number as a contact, revealing the target's profile information to the attacker.

It was a privacy breach, enabling unauthorized access to limited user data. WhatsApp patched this vulnerability (e.g., CVE-2022-36934) in app updates, emphasizing the importance of keeping the app current.

Background

To prevent security issues and spam, WhatsApp for Android requires some form of user interaction to automatically download files from non-contacts:

a. After adding someone as a contact, all future received images/files will be downloaded.
b. For individual chats, if you respond to a non-contact future media/documents will be automatically downloaded.
c. For group chats, opening the group once will cause all future messages to be downloaded from that group.
d. Manually pressing download on an image from a non-contact will also download the media/document.

After downloading files they can appear in the MediaStore database which can open up attack surface. Whatsapp calls MEDIA_SCANNER_SCAN_FILE immediately after download on the file so it should show up immediately in MediaStore. Vulnerabilities that bypass any of these, can result in vulnerabilities like

PZ-442423708 and PZ-443741909 being reachable without any of the user interaction listed above. This vulnerability requires the precondition of knowing, guessing, or leaking a contact making it lower severity than a full contact gating bypass. However it's easy to attempt this many times in quick succession, and likely easy to guess contacts in targeted attacks.

VULNERABILITY DETAILS/REPRODUCTION CASE

Attacker creates a WhatsApp Group
Attacker adds Victim to Whatsapp Group
Attacker adds Victim's Contact to Whatsapp group
Attacker promotes Victim's Contact to admin
Attacker sends a presumably malicious image to the WhatsApp Group (WhatsApp web is the easiest to avoid errors on the sender's client)
Victim's device will automatically download the image without ever interacting with the group
6.a. Note the image is not downloaded by the Victim's Contact

Note, to verify the photo is now in the MediaStore database run adb shell content query --uri content://media/external/file --projection _data on the Victim's device.

Note: Disabling Automatic Download or enabling WhatsApp Advance Privacy Mode prevents the file from being automatically downloaded.

VERSION

WhatsApp Version: 2.25.23.81 (stable on WhatsApp Website).
WhatsApp Version: 2.25.22.80 (stable on play store)

Credit Information

Brendon Tiszka of Google Project Zero.

This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2025-11-30.