- 876
- 242
Meta knew, but considered it "not a privacy issue."
Meta's WhatsApp has long been one of the most convenient entry points for cyberattacks. The messaging app boasts over 3 billion monthly users, and this audience makes it particularly attractive for malware distribution. End-to-end encryption reliably protects the content of messages, but the service's multi-device capabilities have, for years, allowed for the collection of technical information about the recipient's devices. This information has proven accurate enough to be used in attack preparation.
Any sophisticated cyberattack begins with reconnaissance. Before deploying an exploit, it's crucial for attackers to understand the identity of the target device. Sending an Android vulnerability to an iPhone is not only futile but also risky: the victim might notice suspicious activity and thus disrupt the operation. For professional groups, such a mistake threatens far more serious consequences—from the loss of costly zero-day and zero-click vulnerabilities to the exposure of infrastructure and target lists.
Problems related to WhatsApp data leaks were described in detail as early as 2024. At the time, researchers demonstrated that the messaging app allows for the identification of account configurations—specifically, how many devices are connected and which ones. The source of this leak lies in the end-to-end encryption architecture when using multiple devices. Each recipient device establishes a separate cryptographic session with the sender, and each session uses its own keys. As a result, connected devices become distinguishable, allowing an outside observer to infer the composition of the group.
It was later discovered that separate sessions could be used for a more targeted scenario—selecting a specific device for attack. Instead of attempting to "get" an entire account, an attacker could target a specific device. In 2025, researchers went even further and demonstrated that individual parameters of cryptographic keys could be used to identify not only a specific device but also its operating system. In other words, WhatsApp effectively allowed for fingerprinting—identifying the target's platform.
The leak mechanism turned out to be related to a routine service procedure. To establish a secure session, the sender requests cryptographic material from WhatsApp servers, which is generated on each recipient device. This is necessary to maintain end-to-end encryption, but it was at this stage that implementation differences emerged across platforms. Some key identifiers were generated differently, and these differences could be used to determine whether Android or iOS was being used. No action was required on the part of the device owner—the request was executed silently and without any notification. The study's
authors note that the findings regarding this platform detection were also described in a separate 2025 paper. The researchers confirm these findings with their own observations using an internal tool that has not yet been published. Using this tool, they noticed a recent change in the logic of the Android version of WhatsApp. This relates to the Signed PK ID parameter: previously, it started at zero and incremented extremely slowly—roughly once a month. Now, this value is randomly selected. The researchers view this step positively, as Meta had not previously considered this a privacy issue requiring a fix. However, the vulnerability is not fully fixed. It remains possible to distinguish Android from iPhone using another parameter—the One-Time PK ID. On iOS, it starts with a low value and gradually increases over several days, while Android uses random values across the entire 24-bit range. The researchers updated their tool to account for the new behavior and still differentiate between platforms. The patch implementation process itself raised specific questions. According to the authors, WhatsApp made the changes without public notice, failed to contact the researchers who first reported the issue, failed to pay a bounty, and failed to assign a CVE identifier to the vulnerability. They compare this situation to another case previously reported to the messenger: a fix was released, a small bounty was paid, but the CVE assignment was denied, citing insufficient severity. The authors believe this approach is flawed. In their opinion, CVEs shouldn't be perceived as a stigma or an admission of failure—they're a tool for recording and discussing security and privacy issues. Differences in risk levels are more logically reflected through CVSS scores, rather than by the absence of an identifier altogether. Ultimately, WhatsApp has indeed begun to reduce the amount of information that could be used for covert reconnaissance. The research community's efforts have not been in vain. However, the way the changes are being implemented and the ability to differentiate between platforms demonstrate that the problem is being addressed gradually and without much transparency. This story clearly demonstrates that even with reliable
Encryption implementation details and metadata can play a key role in preparing attacks.
Meta's WhatsApp has long been one of the most convenient entry points for cyberattacks. The messaging app boasts over 3 billion monthly users, and this audience makes it particularly attractive for malware distribution. End-to-end encryption reliably protects the content of messages, but the service's multi-device capabilities have, for years, allowed for the collection of technical information about the recipient's devices. This information has proven accurate enough to be used in attack preparation.
Any sophisticated cyberattack begins with reconnaissance. Before deploying an exploit, it's crucial for attackers to understand the identity of the target device. Sending an Android vulnerability to an iPhone is not only futile but also risky: the victim might notice suspicious activity and thus disrupt the operation. For professional groups, such a mistake threatens far more serious consequences—from the loss of costly zero-day and zero-click vulnerabilities to the exposure of infrastructure and target lists.
Problems related to WhatsApp data leaks were described in detail as early as 2024. At the time, researchers demonstrated that the messaging app allows for the identification of account configurations—specifically, how many devices are connected and which ones. The source of this leak lies in the end-to-end encryption architecture when using multiple devices. Each recipient device establishes a separate cryptographic session with the sender, and each session uses its own keys. As a result, connected devices become distinguishable, allowing an outside observer to infer the composition of the group.
It was later discovered that separate sessions could be used for a more targeted scenario—selecting a specific device for attack. Instead of attempting to "get" an entire account, an attacker could target a specific device. In 2025, researchers went even further and demonstrated that individual parameters of cryptographic keys could be used to identify not only a specific device but also its operating system. In other words, WhatsApp effectively allowed for fingerprinting—identifying the target's platform.
The leak mechanism turned out to be related to a routine service procedure. To establish a secure session, the sender requests cryptographic material from WhatsApp servers, which is generated on each recipient device. This is necessary to maintain end-to-end encryption, but it was at this stage that implementation differences emerged across platforms. Some key identifiers were generated differently, and these differences could be used to determine whether Android or iOS was being used. No action was required on the part of the device owner—the request was executed silently and without any notification. The study's
authors note that the findings regarding this platform detection were also described in a separate 2025 paper. The researchers confirm these findings with their own observations using an internal tool that has not yet been published. Using this tool, they noticed a recent change in the logic of the Android version of WhatsApp. This relates to the Signed PK ID parameter: previously, it started at zero and incremented extremely slowly—roughly once a month. Now, this value is randomly selected. The researchers view this step positively, as Meta had not previously considered this a privacy issue requiring a fix. However, the vulnerability is not fully fixed. It remains possible to distinguish Android from iPhone using another parameter—the One-Time PK ID. On iOS, it starts with a low value and gradually increases over several days, while Android uses random values across the entire 24-bit range. The researchers updated their tool to account for the new behavior and still differentiate between platforms. The patch implementation process itself raised specific questions. According to the authors, WhatsApp made the changes without public notice, failed to contact the researchers who first reported the issue, failed to pay a bounty, and failed to assign a CVE identifier to the vulnerability. They compare this situation to another case previously reported to the messenger: a fix was released, a small bounty was paid, but the CVE assignment was denied, citing insufficient severity. The authors believe this approach is flawed. In their opinion, CVEs shouldn't be perceived as a stigma or an admission of failure—they're a tool for recording and discussing security and privacy issues. Differences in risk levels are more logically reflected through CVSS scores, rather than by the absence of an identifier altogether. Ultimately, WhatsApp has indeed begun to reduce the amount of information that could be used for covert reconnaissance. The research community's efforts have not been in vain. However, the way the changes are being implemented and the ability to differentiate between platforms demonstrate that the problem is being addressed gradually and without much transparency. This story clearly demonstrates that even with reliable
Encryption implementation details and metadata can play a key role in preparing attacks.