Meta has began addressing WhatsApp vulnerabilities that expose consumer metadata, particularly focusing on flaws that permit adversaries to ‘fingerprint’ a tool’s working system. Nonetheless, absolutely masking these signatures is an ongoing problem.
When menace actors wish to ship refined spyware and adware to a consumer, they could choose WhatsApp, which has 3 billion customers, as a supply channel. To attain their aim, the attackers can exploit zero-day vulnerabilities that allow them to ship a malicious payload to WhatsApp customers with none interplay from the sufferer.
These zero-days can affect WhatsApp itself and third-party elements that allow the supply of spyware and adware by different functions that depend on these elements. Paragon spyware and adware assaults that got here to gentle in 2025 focused dozens of customers by the exploitation of such flaws.
WhatsApp zero-days are uncommon and extremely precious to each attackers and defenders, with $1 million usually supplied by either side for full-chain exploits.
System fingerprinting
Nonetheless, earlier than attackers can exploit WhatsApp zero-days to ship their malicious payloads, they should decide the focused consumer’s working system to push the suitable kind of payload.
This may be achieved within the reconnaissance section of the assault. Researchers have proven over the previous two years that an attacker solely wants the focused consumer’s cellphone quantity to gather details about their units and working programs. The method requires no consumer interplay and leaves the sufferer with no indication that their data has been harvested.
Researchers demonstrated how an attacker can infer the consumer’s major system, the working system of every linked system, the units’ age, and whether or not WhatsApp is operating by a cellular app or an internet browser on a desktop system. This may be decided because of the predictable values of encryption key IDs assigned by the messaging utility.
One of many people spearheading these investigations is Tal Be’ery, a good researcher and co-founder and CTO of the Zengo cryptocurrency pockets. Commercial. Scroll to proceed studying.
Be’ery and others have reported their findings to Meta, however the web large didn’t seem to take any motion, till not too long ago.
Be’ery has developed a device for WhatsApp system fingerprinting. The device is just not public, however it not too long ago confirmed the researcher that Meta has began taking some steps to forestall system fingerprinting by assigning random values to key IDs, particularly for Android units.
The researcher, who described the findings in a weblog publish revealed on Monday, has demonstrated for SecurityWeek that the system fingerprinting approach nonetheless works. Nonetheless, he applauded Meta for recognizing it as a safety and privateness challenge and taking steps to handle it.
“Attackers can nonetheless distinguish with excessive certainty between Android and iPhone primarily based on One-Time PK ID,” Be’ery defined. “Since iPhone initializes this parameter with a low worth and slowly increments it (each few days), it’s nonetheless extremely distinguishable from Android’s random worth, which makes use of its whole 24-bit potential.”
“Nonetheless, it appears cheap to imagine that that is WhatsApp’s first step towards a extra full repair that can make these fields random on all working programs and platforms. If certainly that is the plan, it would obliterate this fingerprinting privateness vulnerability,” he added.
Whereas he believes Meta has taken steps in the correct route, the researcher criticized the ‘silent’ nature of the rollout, noting that WhatsApp customers stay unaware of the underlying adjustments. He additionally believes Meta ought to do a greater job speaking with researchers who report these kinds of points, assign CVE identifiers, and pay bug bounties.
Response from WhatsApp
WhatsApp advised SecurityWeek that it stays targeted on defending customers towards many various assault vectors whereas nonetheless making certain it might easily run its common messaging service.
WhatsApp has confirmed that it has been taking steps to harden its utility, together with towards system fingerprinting.
Nonetheless, it identified a number of facets relating to OS inference and why these points are sometimes thought-about low severity:
System fingerprinting is just not restricted to WhatsApp and may be finished by many applied sciences and platforms.
Working programs themselves could make system fingerprinting trivial to allow a greater consumer expertise (for instance, typing in a quantity on iMessage to see if somebody is on Apple OS or Android, with out sending any message).
Inferring system OS stems from the variations in how various working programs operate, requiring builders to construct app variations tailor-made for every one as a way to optimize their efficiency for the consumer.
OS inference has a restricted sensible safety affect. It has marginal utility and not using a zero-day that might permit an attacker to ship malicious code geared toward a selected OS.
The cybersecurity trade sometimes charges the severity of OS fingerprinting (each lively and passive inference) as low severity, and these kinds of points not often meet the severity threshold for a CVE. The problems reported by Be’ery didn’t meet WhatsApp’s threshold.
Nonetheless, WhatsApp says Be’ery’s report did assist the corporate tackle a separate however related challenge within the dealing with of invalid messages, in addition to to enhance its bug bounty triage course of on this space. The researcher has been awarded a bug bounty for this contribution.
Meta has paid out $25 million by its bug bounty program since its inception, together with $4 million in 2025.
Within the case of WhatsApp particularly, Meta says it has been improving safety, together with by a WhatsApp Analysis Proxy device that makes analysis into WhatsApp’s community protocol more practical.
As for its struggle towards spyware and adware, Meta has been taking motion on a number of fronts, together with disrupting operations geared toward its functions, sharing its findings with trade friends and researchers to assist them detect such exercise, elevating consciousness amongst customers, and submitting lawsuits towards spyware and adware makers.
Meta final 12 months received a lawsuit towards spyware and adware agency NSO Group. NSO has been ordered to cease hacking WhatsApp and pay hundreds of thousands in punitive damages, however the spyware and adware maker has filed an attraction.
Associated: Vulnerability Allowed Scraping of three.5 Billion WhatsApp Accounts
Associated: CISA Warns of Spyware and adware Focusing on Messaging App Customers
Associated: Landfall Android Spyware and adware Focused Samsung Telephones through Zero-Day
