WhatsApp has fixed a security flaw in its app for iOS and macOS. A zero-click exploit had been used by hackers to target users in spyware attacks.
Last week, Apple released iOS 16.8.2, iPadOS 16.8.2, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8 and macOS Ventura 13.7.8 updates to fix a zero-day threat. This was referred to as CVE-2025-43300, and the Cupertino company acknowledged that the exploit may have been used by hackers in an extremely sophisticated attack against specific targeted individuals.
Apple did not provide details about the attack, but WhatsApp says that attackers exploited this OS-level security flaw, along with a vulnerability in its own app to attack some users. The vulnerability, which has now been fixed by WhatsApp, has been tracked as CVE-2025-55177. Its description says that an incomplete authorization of linked device synchronization messages in WhatsApp could have allowed attackers to trigger processing of content from an arbitrary URL on a target’s device. Since it was a zero-click attack, it did not require any action from a user, such as clicking on a link. The attackers exploited both security flaws to compromise the victim's device, and steal data from it, including messages
Affected app versions include WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78. WhatsApp credited its own security experts for discovering and patching the exploit.
TechCrunch reports that Donncha Ó Cearbhaill, the head of Amnesty International’s Security Lab, called the attack "an advanced spyware campaign" that had been targeting users for over 90 days, since the end of May. It is not clear who the attackers were.
Margarita Franklin, a Meta spokesperson has confirmed that the vulnerability was detected and patched a few weeks ago. As for the impact, Meta says it notified affected WhatsApp users, and this number was less than 200.
Spyware campaigns against WhatsApp users aren't new. WhatsApp managed to disrupt a Paragon spyware campaign earlier this year, that had targeted journalists, civil society members in Italy. WhatsApp had sued the infamous NSO Group, which created the Pegasus spyware, for compromising the security of over 1400 users in an attack campaign in 2019. In May 2024, a U.S. court ordered the NSO Group to $167 million in damages to WhatsApp.
Thank you for being a Ghacks reader. The post WhatsApp fixes zero-click vulnerability in iOS and macOS which was used in targeted spyware attacks appeared first on gHacks Technology News.
0 Commentaires