Despite these protections, username-based messaging is not yet enabled, meaning the primary attack surface, unsolicited contact using a look-alike or typo-squatted handle, isn’t currently exploitable.
When messaging via username does roll out, WhatsApp says it will surface country-of-origin metadata and first-time-contact warnings, mirroring existing “unknown sender” heuristics already used for phone-number-based messages.
Critically, usernames are not searchable, closing off the enumeration vector that made phone-number harvesting a common OSINT and spam technique, and users can further reduce exposure by adding a “username key” restricting discoverability to a WhatsApp-unique handle.
WhatsApp has begun allowing users to reserve usernames ahead of a broader feature launch planned for later this year, prompting a wave of questions about security, impersonation risk, and account linkage that security researchers should be tracking closely.
cybersecuritynews.com