Researcher Spotlights WhatsApp Metadata Leak as Meta Begins Rolling Out Fixes

Meta has started addressing WhatsApp vulnerabilities that expose user metadata, specifically targeting flaws that allow adversaries to ‘fingerprint’ a device’s operating system. However, fully masking these signatures is an ongoing challenge.

When threat actors want to deliver sophisticated spyware to a user, they may pick WhatsApp, which has 3 billion users, as a delivery channel. To achieve their goal, the attackers can exploit zero-day vulnerabilities that enable them to deliver a malicious payload to WhatsApp users without any interaction from the victim.

These zero-days can impact WhatsApp itself and third-party components that enable the delivery of spyware through other applications that rely on these components. Paragon spyware attacks that came to light in 2025 targeted dozens of users through the exploitation of such flaws.

WhatsApp zero-days are rare and highly valuable to both attackers and defenders, with $1 million regularly offered by both sides for full-chain exploits.

Device fingerprinting ...