Zero‑Click WhatsApp Account Takeover on iOS 16 iPhones Bypasses Linked‑Device Checks
What Happened — A zero‑click exploit targeting iOS 16 devices allowed threat actors to hijack WhatsApp accounts, send fraudulent messages, and exfiltrate recent chat data without any user interaction or visible linked‑device session.
Why It Matters for TPRM — • Demonstrates that mobile‑app supply‑chain vulnerabilities can compromise third‑party communications channels. • Highlights the risk of credential‑less account takeover that bypasses traditional MFA and device‑link checks. • Forces enterprises to reassess the security posture of any vendor that relies on WhatsApp for customer outreach or internal coordination.
Who Is Affected — Mobile users of WhatsApp on iPhone 8 – 14 running iOS 16 (individuals, but also employees using WhatsApp for business).
Recommended Actions — • Verify that all corporate WhatsApp usage is limited to devices with the latest iOS patches (iOS 17+). • Enforce secondary verification for high‑value WhatsApp transactions (e.g., out‑of‑band confirmation). • Review vendor contracts for clauses requiring timely patching of mobile‑app dependencies.
Technical Notes — The attack leverages a previously unknown iOS 16 kernel vulnerability (zero‑click) to gain code execution within the WhatsApp process, inject messages, and read recent chats. No QR‑code pairing or credential theft is observed. The exploit appears to be a zero‑day, currently unpatched, and is being actively used in the wild. Source: Security Affairs