WhatsApp leaks user metadata to attackers
Tal Be’ery knew that I was online the night before I called him. He knew what kind of device I was using. I didn’t share this information with him. All he had was my phone number.
I had no way to know that he was learning that information about me, either. Be’ery, cofounder and chief technology officer (CTO) of Zengo — whose $70 million acquisition by eToro was announced during our call — silently pried into my online habits (with my permission) using a jerry-rigged program he designed to plug into WhatsApp, and exploit the thin layer of metadata it leaks. In a presentation at Black Hat Asia 2026, he’ll show that anyone can perform the same tricks, be they sophisticated nation-state advanced persistent threats (APTs) or lowly scammers. It doesn’t require any kind of sophisticated zero-day; all one has to do is leverage WhatsApp’s own design choices.
Dark Reading contacted WhatsApp in the process of reporting this story. The company made no official statement but did confirm the details of Be’ery’s findings and alluded to mitigations it’s been working on to address the areas of his research WhatsApp deems significant.
Read more at Dark Reading