WhatsApp has patched a critical zero-click vulnerability in its iOS and Mac apps that enabled sophisticated spyware attacks targeting specific users over the past three months. The flaw, tracked as CVE-2025-55177, was exploited in combination with an Apple operating system vulnerability to compromise devices and steal sensitive data including private messages.
Meta confirmed it detected and patched the vulnerability “a few weeks ago” and sent notifications to “less than 200” affected WhatsApp users. The company described the attacks as targeting “specific targeted users” through a zero-click exploit that required no interaction from victims to compromise their devices.
The vulnerability involved incomplete authorization of linked device synchronization messages in WhatsApp, allowing attackers to trigger processing of content from arbitrary URLs on targeted devices. Security researchers noted that the flaw was used in conjunction with Apple’s CVE-2025-43300, an ImageIO framework vulnerability that Apple patched on August 20.
- Surprisingly WhatsApp has had the fewest controversy of all Meta stuff. - Probably because it picks a lane and stays in it, although I wouldn’t trust it on even a burner phone. 
 
- So… they let you uninstall it? Or are we talking about spyware not made by Meta? - Because the way I understand it, Meta has been hacking iPhones ever since the App Tracking Protection thing came about. Mostly via the in-app browser. Point is, Tim Cook said Meta can continue to track you, they just have to get your permission first, and even if you said no, they still found a way to do it anyway. Therefore, are Meta products not spyware? - (So are Google products. On iPhone, you block ads system-wide with a DNS filter. Same as you do on an unrooted Android phone, since you don’t have access to the HOSTS file — rooted users are just using AdAway or something like it to update HOSTS. Anyway, Google apps use Google DNS, which they say makes them faster, but it also has the convenient upshot (to them) of going around your ad blocking, and forcing ads on a user who has explicitly configured their device to block them.) 



