Meta has begun slowly patching security flaws in WhatsApp that permitted the identification of a user’s operating system without their knowledge. This concerns not a direct account breach, but rather the taking of a digital fingerprint—gathering metadata that assists attackers in discerning the victim’s precise device and OS, enabling them to select a suitable attack vector. Why does this matter? Because WhatsApp is one of the most appealing channels for delivering spyware. The messenger has nearly 3 billion users, and rare 0-day vulnerabilities within it are valued highly: a complete exploit chain can fetch up to a million dollars on the market. Such vulnerabilities, for instance, were employed in attacks utilizing the Paragon spyware tool, which became public knowledge in 2025. Before deploying a zero-day, malefactors must ascertain which OS the target is running—Android, iOS, or the web version on a desktop. As researchers have discovered over the last couple of years, a single phone number suffices for this. No clicks, messages, or notifications to the victim are necessary—they will not even realize that data about their device has already been collected. Attackers can determine a user’s primary gadget, the OS of all linked devices, the approximate “age” of these devices, and even whether WhatsApp is being utilized via the application or a browser. This became possible due to predictable values in the encryption key identifiers that WhatsApp assigned to devices. One of the main researchers on this topic is Tal Beeri, co-founder and CTO of the crypto wallet Zengo. He and his team had long informed Meta (recognized as extremist and banned in Russia) about the issue, yet the developers reacted only recently. Beeri observed that WhatsApp has started randomizing key identifiers on Android, which significantly hampers the taking of a digital fingerprint.
About the Author
