From Pegasus to CVE-2025: 3 times WhatsApp faced critical security issues

The news this week has struck at the very foundation of WhatsApp’s existence. A massive class-action lawsuit filed in San Francisco alleges that the platform’s “End-to-End Encryption” is a lie. The suit claims Meta has maintained backdoors to access private chats for years, effectively calling the app’s primary selling point a “frivolous work of fiction.”

While Meta has categorically denied the claims, calling them “absurd,” the damage to user trust is already done. But for those who have followed the platform’s history, this skepticism isn’t new. The privacy of WhatsApp users has repeatedly been compromised, not just by policy changes, but by critical flaws in the code itself.

Beyond the current courtroom battle, here are three major instances where WhatsApp’s security architecture was weaponized against its users.

Also read: WhatsApp message encryption explained: What is the Signal protocol?

The return of the “zero-click” (CVE-2025-55177)

Just as the industry thought the era of “zero-click” exploits was fading, late 2025 delivered a harsh wake-up call. The discovery of CVE-2025-55177 proved that the architecture of modern messaging apps remains a playground for state actors. The vulnerability wasn’t found in the message transport layer, but in the complex “Linked Devices” synchronization protocol.

Attackers utilized a Remote Code Execution (RCE) chain that required absolutely no interaction from the victim. By sending a specially crafted message that the WhatsApp server pushed to a target’s phone, they could trigger the exploit during the background sync process. Because the app failed to properly authorize these sync messages, the malicious payload was processed automatically. The compromise happened silently, earning this CVE a spot on CISA’s “Known Exploited Vulnerabilities” list almost immediately.

The 3.5 billion user “phone book” 

In November 2025, a massive data exposure incident revealed that while your messages might be encrypted, your existence on the platform is not. Researchers from the University of Vienna demonstrated a technique to enumerate and scrape data from 3.5 billion users – virtually the entire active user base. This was enabled by an API Logic Flaw rather than a server breach; WhatsApp’s Contact Discovery API lacked sufficient rate-limiting for server-side queries.

Also read: Maia 200 explained: Microsoft’s custom chip for AI acceleration

Attackers and researchers were able to script bots to query millions of random phone numbers against WhatsApp’s servers. The servers obligingly verified which numbers were active and returned their metadata, including profile pictures, “About” text, and “Last Seen” status. This effectively created a global, searchable database of active numbers, linking real-world identities to digital footprints. This “perfect phone book” is now the fuel for the targeted phishing and malware campaigns (like PluggyApe) we are seeing today.

Pegasus (2019)

No list of WhatsApp security failures is complete without the incident that shattered the illusion of absolute privacy: the NSO Group’s Pegasus scandal. The attack vector was a Buffer Overflow vulnerability hiding within WhatsApp’s VoIP (Voice over IP) stack.

Attackers could initiate a WhatsApp voice call to the target, where the incoming call packets contained malicious code that overflowed the app’s memory buffer. This crash disabled the internal security walls and injected the spyware. Crucially, the attacker could end the call and erase the log before the user even noticed. Pegasus taught the world a terrifying lesson in the difference between endpoint security and encryption; once the spyware had root access to the OS, it could read messages on the screen, record keystrokes, and activate the microphone, rendering E2EE irrelevant.

The current lawsuit alleges a deliberate backdoor, but history shows we don’t need a conspiracy theory to worry about privacy. Whether it’s a buffer overflow in 2019 or a sync-protocol flaw in 2025, the technical reality is that the convenience of a feature-rich app often opens the door to critical vulnerabilities – encrypted or not.

Also read: Dario Amodei: Superintelligent AGI can cause civilization level damage