Seems to me that Whatsapp should be able to rate-limit these requests and work to secure the interface so only the legit website can actually pull the info?
The initial website display comes from a QR code you can on your phone, which the website then gets authorized by. Could they not then limit queries to that account?
I could be way off the mark, but it seems to me like the worst of this could be mitigated quite easily without much loss in functionality for users?
WhatsApp does monitor their network and API calls being performed. This way they ban spammers and fake clients going on the WhatsApp network. I suspect they use some form of Machine learning to filter out the non-users and when you're identified: you're getting banned. This means that you can no longer use your phone number and need a new SIM. So this story isn't feasable for "huge amounts of data". You might be able to download a few 100k of profile picutures but you will get banned.
The initial website display comes from a QR code you can on your phone, which the website then gets authorized by. Could they not then limit queries to that account?
I could be way off the mark, but it seems to me like the worst of this could be mitigated quite easily without much loss in functionality for users?