WhatsApp Reveals Bug that Enabled Targeted Attacks on Apple Users

Don’t miss out on our latest stories. Add PCMag as a preferred source on Google.

WhatsApp recently patched a security bug in its iOS and Mac clients that enabled zero-click attacks against “specific targeted” Apple users.

The bug was used to deliver advanced spyware that targeted “civil society” individuals, according to Donncha Ó Cearbhaill, Head of Security Lab at AmnestyTech, the global charity’s cybersecurity unit. These include people working for charities, NGOs, or as journalists. The campaign is thought to have been going on since the end of May.

Dubbed CVE-2025-55177, the bug was a type of authorization bypass in the iOS and Mac versions of WhatsApp, which allowed attackers to force content from an “arbitrary URL” to be rendered on a target’s device. As it was a “zero-click” hack, users did not need to click a link or perform any action for the attack to succeed.

WhatsApp’s announcement comes after Apple announced last month that it had released emergency updates for a separate OS-level flaw dubbed CVE-2025-43300, saying it had been exploited in an “extremely sophisticated attack.” Ó Cearbhaill says the hack campaign utilized a combination of both bugs.

The Meta-owned messaging app has begun notifying users it believes may have been impacted by the hack. However, though it says it has made changes to prevent this specific attack from occurring again via WhatsApp, the devices of targeted users could remain compromised by the malware or “be targeted in other ways.” It recommends that users who feel they may have been affected should complete a full device factory reset, as well as keep their devices updated to the latest version of the operating system, and ensure that their WhatsApp app is up to date.

Meanwhile, Amnesty’s cyber expert noted that the Apple vulnerability exploited in the hack is located in a core image library, meaning targeting is possible through apps other than WhatsApp.

WhatsApp didn’t name a possible culprit. But we’ve seen plenty of allegations emerge in recent months about governments using sophisticated spyware to spy on NGO workers and journalists via the ubiquitous messaging app.

In June, Italy axed its contracts with Israeli spyware firm Paragon, after an investigation alleged its software had been used to spy on Italian journalists and migrant charity workers via WhatsApp. However, these claims have so far been denied by the Italian government.

Get Our Best Stories!

Stay Safe With the Latest Security News and Updates

Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.

Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.

By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.

Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

About Will McCurdy

Contributor

I’m a reporter covering weekend news. Before joining PCMag in 2024, I picked up bylines in BBC News, The Guardian, The Times of London, The Daily Beast, Vice, Slate, Fast Company, The Evening Standard, The i, TechRadar, and Decrypt Media.

I’ve been a PC gamer since you had to install games from multiple CD-ROMs by hand. As a reporter, I’m passionate about the intersection of tech and human lives. I’ve covered everything from crypto scandals to the art world, as well as conspiracy theories, UK politics, and Russia and foreign affairs.

Read Will’s full bio

Read the latest from Will McCurdy