WhatsApp Chat Data Stored Unencrypted in Meta’s Shared App Containers on macOS and iOS Security researchers at Mysk have uncovered a potential privacy risk in how WhatsApp stores user chat data on macOS and iOS, revealing that message databases may be kept in unencrypted plaintext within shared app group containers. These containers, used by Meta-owned applications (including Facebook, Instagram, and WhatsApp), allow data sharing between apps signed by the same developer under the identifier “group.com.facebook.family.” The issue stems from WhatsApp’s storage architecture, where chat histories are saved without encryption at rest. This means: - Other Meta apps on the same device could theoretically access WhatsApp data without explicit user consent. - No notification mechanism exists to alert users of such access. - The vulnerability affects both macOS and iOS, with researchers demonstrating that unencrypted chat data can also be extracted from iPhone backups. The risk is further amplified by a macOS vulnerability (CVE-2026-28910), which allows attackers to bypass Apple’s App Sandbox protections. Exploiting this flaw could enable: - Access to protected app containers, including those for WhatsApp, Messages, and Safari. - Extraction of sensitive data while circumventing Transparency, Consent, and Control (TCC) safeguards. - A proof-of-concept attack combining this exploit with WhatsApp’s storage behavior to retrieve chat histories. While some experts, such as WABetaInfo, argue that the data remains within Apple’s sandboxed environment requiring either system-level privileges or OS exploits to access Mysk contends that Meta’s shared app group entitlements weaken isolation boundaries, enabling internal data sharing without user awareness. The findings underscore broader concerns about data-at-rest security in mobile ecosystems: - End-to-end encryption protects messages in transit but does not secure local storage. - Shared app containers increase the attack surface when combined with OS-level vulnerabilities. - Backup extraction remains a viable method for accessing sensitive data if not encrypted. No widespread exploitation has been reported, but the research highlights the need for stronger local encryption in tightly integrated app ecosystems like Meta’s.

Pro-Iran Hacker Groups Launch Coordinated Cyberattacks Targeting Spotify and Israeli Citizens A pro-Iran hacker collective, the Islamic Cyber Resistance in Iraq – 313 Team, claimed responsibility for a DDoS attack that disrupted Spotify’s services on Tuesday, causing widespread access issues for users. Reports of outages surfaced on Wednesday evening around 8 p.m., with Spotify acknowledging the incident on X (formerly Twitter), stating that its app, support site, and web player were experiencing slowdowns or failures. The group later boasted on Telegram that the attack had "completely disabled" the platform’s main servers. In a separate campaign, Iran-linked hackers targeted Israeli citizens with threatening WhatsApp messages on Monday, sent from hijacked or spoofed business accounts. The messages, written in English, warned recipients of impending missile strikes if Israel did not cease military actions, referencing "Sayid Majid missiles" and urging civilians to stockpile supplies. The National Cyber Directorate is investigating the source, attributing the activity to Handala, a group known for combining cyberattacks with psychological warfare. The same group, Handala, also published a "target list" on Sunday allegedly exposing 60 senior officers from the IDF’s Egoz commando unit. However, the list included only 48 individuals, most of whom were veterans and reservists not active officers with some openly identifying their past service on social media. The group framed the disclosure as a threat, declaring the individuals would become targets for "the resistance’s shadows." Analysis by The Jerusalem Post found that none of those listed held senior ranks, with the highest being a non-commissioned officer (NCO). The incidents reflect a broader pattern of Iran-backed cyber operations targeting both digital infrastructure and civilian morale, leveraging disruptions and psychological tactics in ongoing regional tensions.

WhatsApp Disrupts New NSO Group Spear-Phishing Campaign, Seeks Contempt Ruling Meta’s WhatsApp has uncovered and blocked a fresh spear-phishing campaign linked to NSO Group, the Israeli spyware firm blacklisted by the U.S. government, and is now petitioning a federal court to hold the company in contempt for violating a 2024 permanent injunction. In May 2025, a U.S. federal jury ordered NSO Group to pay $167.25 million in punitive damages and $444,719 in compensatory damages to WhatsApp after a 2019 attack exploited a buffer overflow vulnerability in WhatsApp’s VOIP stack to deliver Pegasus spyware, compromising approximately 1,400 users. The court’s injunction explicitly barred NSO from targeting WhatsApp or its users again. Despite this, WhatsApp’s latest investigation triggered by user reports identified NSO-linked accounts attempting to trick users into clicking malicious external links, a tactic consistent with the firm’s past operations. The campaign targeted fewer than 10 users in Jordan and Lebanon, with no evidence of successful device compromise. WhatsApp dismantled test accounts and groups used to stage the attacks. NSO Group’s defiance extends beyond WhatsApp. Court filings reveal the company continued developing exploits, including malware vectors codenamed Erised and Heaven, even after the original lawsuit. NSO’s CEO has publicly acknowledged the firm’s efforts to exploit vulnerabilities in browsers, operating systems, and third-party apps, underscoring its expansive surveillance operations. WhatsApp’s legal action is supported by 12 civil rights organizations, which filed amicus briefs in May 2026 backing the permanent injunction against NSO’s appeal. Additionally, WhatsApp has contributed funding to the Spyware Accountability Initiative (SAI), a global effort supporting forensic research, advocacy, and user-support networks. Technical partner Citizen Lab, which has collaborated with WhatsApp since 2019, previously helped Apple issue a security update protecting over a billion devices. Threat Indicators (IOCs): - Malicious domains linked to NSO-associated phishing infrastructure: - `hxxps://ikhwancast[.]com` - `hxxps://ghazacast[.]com` - `hxxps://fr24cast[.]com`

German Government Officials Targeted in Coordinated Social Engineering Attack on Signal and WhatsApp A sophisticated cyberattack has targeted high-ranking German officials, including former Bundesnachrichtendienst (BND) Vice President Arndt Freytag von Loringhoven, by impersonating Signal support staff. The campaign, which appears to be part of a broader effort, has affected multiple politicians and government figures across Germany, raising concerns about the security of encrypted communication channels used for sensitive exchanges. Attackers exploited trust in well-known messaging platforms by posing as legitimate support personnel, attempting to extract account credentials, redirect verification codes, or gain unauthorized access to private conversations. Unlike traditional cyberattacks that target encryption vulnerabilities, this campaign relied on social engineering manipulating users into voluntarily surrendering access. Signal and WhatsApp, favored by officials for their strong encryption, became prime targets due to their perceived security. The attackers leveraged the platforms’ reputations to make their impersonation attempts more convincing, highlighting a growing risk: even secure tools are vulnerable when users are deceived. German security institutions are expected to strengthen operational security measures in response, as the incident underscores how threat actors view messaging platforms as a potential entry point into sensitive networks. The attacks serve as a reminder that human behavior, not just technical defenses, remains a critical vulnerability in cybersecurity.

Russian-Backed Hackers Target Signal and WhatsApp Accounts of Officials and Journalists Dutch intelligence agencies revealed on March 9 that Russian-backed hackers have launched a global cyber campaign to infiltrate Signal and WhatsApp accounts belonging to government officials, military personnel, and journalists. The attackers trick users into disclosing security verification codes or PINs during deceptive chats, granting access to personal accounts and sensitive group conversations. The General Dutch Intelligence Agency (AIVD) and Military Intelligence and Security Service (MIVD) warned that the hackers likely obtained classified information, with Dutch government employees and journalists among the confirmed targets. End-to-end encrypted messaging apps like Signal and WhatsApp are favored for secure communication, making them prime targets for cyber espionage. The hackers primarily impersonate a Signal Support chatbot to extract verification codes, while also exploiting Signal’s "linked devices" feature. Signs of compromise include duplicate contacts or accounts marked as "deleted." WhatsApp responded by advising users against sharing their six-digit codes, though Signal did not immediately comment. Dutch authorities issued a cyber advisory to mitigate the threat, with MIVD director Vice-Admiral Peter Reesink cautioning that even encrypted apps should not be used for transmitting highly sensitive information. The campaign underscores the persistent risks of social engineering in cyber espionage.

WhatsApp disclosed a zero-click exploit chain targeting specific users by combining a WhatsApp vulnerability (CVE-2025-55177) with an Apple Image I/O framework flaw (CVE-2025-43300). Attackers sent malicious messages to dozens of users, exploiting out-of-bounds memory writes in Apple’s image processing system and unauthorized WhatsApp message synchronization to compromise devices without user interaction. The attack allowed full device takeover, including access to messages, media, and other sensitive data. Affected users were advised to perform a factory reset, though residual malware risks persisted. The exploit leveraged a chained infection vector, primarily impacting iOS and Mac users, with Android devices potentially exposed via separate attack paths. WhatsApp patched the flaw in updates (iOS v2.25.21.73+, Mac v2.25.21.78+), but the incident highlighted the severity of zero-click threats in spyware campaigns, where no user action is required for compromise. Amnesty International linked the attack to advanced surveillance operations, emphasizing the risk to high-profile targets.

A critical vulnerability identified in WhatsApp for Windows allows attackers to execute arbitrary code by sending seemingly harmless file attachments that exploit the application's handling of MIME types and file extensions. Designated as CVE-2025-30401, the high-severity flaw affects versions up to 2.2450.5 and has been rectified in version 2.2450.6. The spoofing vulnerability could deceive users into interacting with malicious attachments, leading to unauthorized execution of code and potential data theft. This issue also raises concerns in group chats where a single malicious attachment can compromise multiple users. Immediate updating to a patched version is urged.

WhatsApp disclosed a zero-click vulnerability (CVE-2025-55177) in its iOS and macOS apps, exploited in targeted zero-day attacks alongside an Apple OS-level flaw (CVE-2025-43300). The flaw allowed attackers to bypass authorization and force devices to process malicious content from arbitrary URLs, enabling spyware deployment (e.g., Paragon’s Graphite). WhatsApp confirmed the attacks were highly sophisticated, likely state-sponsored, targeting journalists, civil society members, and high-profile individuals over 90 days. While WhatsApp patched the issue and warned affected users, the malware may persist on compromised devices, requiring factory resets. The attack mirrors a March 2025 incident where WhatsApp disrupted a Paragon spyware campaign exploiting a similar zero-day. The combination of WhatsApp and Apple OS vulnerabilities suggests advanced persistent threat (APT) actors leveraged multi-stage exploits to infiltrate devices silently, exfiltrate data, and maintain persistence. No evidence of mass data breaches was reported, but the targeted nature implies high-value intelligence gathering, potentially compromising sensitive communications, contacts, and device integrity of victims. Users were urged to update software and reset devices to mitigate risks.

Russian State-Backed Hackers Target WhatsApp and Signal Accounts in Global Espionage Campaign Russian state-linked cyber actors have launched a large-scale campaign to hijack WhatsApp and Signal accounts, primarily targeting government officials, military personnel, diplomats, and journalists. The attacks, first detected in late 2024, exploit trusted features of the messaging platforms rather than vulnerabilities in their encryption. For WhatsApp, hackers trick victims into scanning a malicious QR code or clicking a link under the guise of joining a group. Instead of adding the user to a chat, the action grants attackers full access to the account, allowing them to read messages undetected while the victim remains unaware. On Signal, attackers impersonate the platform’s "Security Support" chatbot, convincing users to share SMS verification codes enabling them to register the victim’s account on their own device. Dutch intelligence agencies (MIVD and AIVD) confirmed the campaign’s origins, warning that high-value targets including journalists from German outlets like Zeit, Correctiv, and netzpolitik.org have been compromised since at least November 2024. While neither WhatsApp nor Signal’s underlying security was breached, the attacks leverage social engineering to bypass protections. Swiss authorities, including the Federal Intelligence Service (SRC), noted the campaign reflects a broader shift toward mobile-focused espionage. The Swiss federal administration mandates Threema Work for sensitive communications but does not outright ban WhatsApp on official devices. However, officials emphasize caution with unsolicited messages, as legitimate services like Signal will never request verification codes or PINs via in-app messages. The incidents underscore the growing threat to widely used encrypted platforms, particularly when attackers exploit human trust rather than technical flaws.

A well-known hacking community forum was selling a 2022 database of 487 million WhatsApp user mobile numbers. The dataset allegedly contained WhatsApp user data from 84 countries including over 32 million US user records. It also contained another huge chunk of phone numbers belonging to the citizens of Egypt (45 million), Italy (35 million), Saudi Arabia (29 million), France (20 million), and Turkey (20 million).

Security researchers from the University of Vienna exposed a critical vulnerability in WhatsApp’s contact discovery mechanism, enabling the enumeration of 3.5 billion phone numbers globally by exploiting weak rate-limiting protections. The flaw allowed attackers to query 63 billion candidate numbers across 245 countries, retrieving not just phone numbers but also public profile pictures (77M from US users, 66% with detectable faces), status messages, business account details, device information, encryption keys, and timestamps.The breach posed severe risks, particularly in banned regions (e.g., 2.3M active accounts in China, 1.6M in Myanmar, 59M in Iran), where users could face government surveillance or legal repercussions. Cross-referencing with the 2021 Facebook leak revealed that 50% of exposed numbers remained active, highlighting persistent threats like spam, phishing, and robocalls. While WhatsApp mitigated the issue post-disclosure (e.g., rate-limiting, restricting profile picture access), the incident underscored systemic privacy risks in centralized platforms, where convenience features become attack vectors at scale. End-to-end encryption for messages remained intact, but the mass exposure of metadata and linked identities created long-term surveillance and targeting risks.

The bug was found on WhatsApp's platform. Phone numbers of crores of users have been published on Google. Mobile numbers of 29,000 to 30,000 users were appearing in text format on Google due to the bug.