WhatsApp Fixes 'Zero-Click' Bug Used To Hack Apple Users With Spyware (techcrunch.com) 13
An anonymous reader quotes a report from TechCrunch: WhatsApp said on Friday that it fixed a security bug in its iOS and Mac apps that was being used to stealthily hack into the Apple devices of "specific targeted users." The Meta-owned messaging app giant said in its security advisory that it fixed the vulnerability, known officially as CVE-2025-55177, which was used alongside a separate flaw found in iOS and Macs, which Apple fixed last week and tracks as CVE-2025-43300.
Apple said at the time that the flaw was used in an "extremely sophisticated attack against specific targeted individuals." Now we know that dozens of WhatsApp users were targeted with this pair of flaws. Donncha O Cearbhaill, who heads Amnesty International's Security Lab, described the attack in a post on X as an "advanced spyware campaign" that targeted users over the past 90 days, or since the end of May. O Cearbhaill described the pair of bugs as a "zero-click" attack, meaning it does not require any interaction from the victim, such as clicking a link, to compromise their device.
The two bugs chained together allow an attacker to deliver a malicious exploit through WhatsApp that's capable of stealing data from the user's Apple device. Per O Cearbhaill, who posted a copy of the threat notification that WhatsApp sent to affected users, the attack was able to "compromise your device and the data it contains, including messages." It's not immediately clear who, or which spyware vendor, is behind the attacks. When reached by TechCrunch, Meta spokesperson Margarita Franklin confirmed the company detected and patched the flaw "a few weeks ago" and that the company sent "less than 200" notifications to affected WhatsApp users. The spokesperson did not say, when asked, if WhatsApp has evidence to attribute the hacks to a specific attacker or surveillance vendor.
Apple said at the time that the flaw was used in an "extremely sophisticated attack against specific targeted individuals." Now we know that dozens of WhatsApp users were targeted with this pair of flaws. Donncha O Cearbhaill, who heads Amnesty International's Security Lab, described the attack in a post on X as an "advanced spyware campaign" that targeted users over the past 90 days, or since the end of May. O Cearbhaill described the pair of bugs as a "zero-click" attack, meaning it does not require any interaction from the victim, such as clicking a link, to compromise their device.
The two bugs chained together allow an attacker to deliver a malicious exploit through WhatsApp that's capable of stealing data from the user's Apple device. Per O Cearbhaill, who posted a copy of the threat notification that WhatsApp sent to affected users, the attack was able to "compromise your device and the data it contains, including messages." It's not immediately clear who, or which spyware vendor, is behind the attacks. When reached by TechCrunch, Meta spokesperson Margarita Franklin confirmed the company detected and patched the flaw "a few weeks ago" and that the company sent "less than 200" notifications to affected WhatsApp users. The spokesperson did not say, when asked, if WhatsApp has evidence to attribute the hacks to a specific attacker or surveillance vendor.
My fix (Score:2)
My fix for "WhatsApp" is to never have installed it.
Re: (Score:2)
Re: (Score:2)
No foresight. Just laziness.
From what I gather, it's some kind of chat program. I already have one, didn't see a point in another one.
Re: (Score:2)
From what I gather, it's some kind of chat program.
I know you think it's cute to feign ignorance but it just makes it look like you've never been on Slashdot before.
I already have one, didn't see a point in another one.
Great for you. For literally billions of people in the world it's not a choice. Brazil, India, several countries in Western Europe, WhatsApp is the defacto default communications platform. You don't have friends that use WhatsApp? Great. I live in an area where I get government 2FA codes through WhatsApp, where business is conducted through the platform.
Many people don't have a "choice".
Re: (Score:2)
It was the smell. It stunk of Facebook and so was easy to avoid.
Re: (Score:2)
That was my workaround for both flaws, but in exchange I got all of Android.
Android is still my mobile phone OS of choice, but I do think iOS does security better than Android.
Re: (Score:2)
It's not really optional in some countries. Businesses in Mexico and India (among many others) frequently don't have a phone number, just a WhatsApp number. And for a majority of the people, SMS messages will go unanswered, MMS doesn't function on some phone plans, and everything runs through WhatsApp.
It's just the way the world evolved, the first real cell phone networks in a lot of countries started with data, and it was just a lot cheaper to use WhatsApp than what the phone company charged, it works on W
Not really a zero click exploit (Score:2)
To be exposed to this attack, the user first had to intentionally install the known malware vector known as WhatsApp.
Re: (Score:2)
False, this problem here relates to processing of image files. Not only were all messaging apps that pre-load images affected, but non-messaging apps were too.
Impacts all messaging apps really (Score:1)
Not all messaging apps... (Score:2)
Messaging apps are by far the highest risk attack surface for mobile since all an attacker needs for your device to process a malicious payload is your email address or phone #.
True for many messaging apps, but not all!
Session [getsession.org] and SimpleX [simplex.chat] don't use phone numbers or email addresses as identifiers, which greatly limits inbound messages from unknown senders.
I Don't use WhatsApp so a step ahead... (Score:2)