Researcher Spotlights WhatsApp Metadata Leak as Meta Begins Rolling Out Fixes

Meta has begun addressing vulnerabilities in WhatsApp that allow attackers to “fingerprint” users’ devices, a privacy flaw that can aid in the delivery of sophisticated spyware. Researchers say the issue has limited practical impact without the presence of a zero-day exploit but still raises concerns about user privacy.

Device fingerprinting explained

Device fingerprinting lets attackers infer details about a user’s devices and operating systems using only their phone number, without any interaction from the victim. This reconnaissance step is critical for attackers who want to deliver malicious payloads tailored to a device’s OS. Researchers have demonstrated that attackers can determine:

• The primary device of a user
• Operating system of each linked device
• Device age
• Whether WhatsApp is running on mobile or web

This information relies on predictable values in WhatsApp’s encryption key IDs.

Tal Be’ery, CTO of the Zengo cryptocurrency wallet, has been investigating this technique. His research shows that, while Meta has started randomizing key IDs for Android devices, device fingerprinting still works in practice. iPhones, for instance, initialize the parameter with a low value and increment it slowly, making them distinguishable from Android devices.

Meta’s response

Meta has begun rolling out changes aimed at limiting device fingerprinting, particularly on Android. WhatsApp said these efforts are part of a broader approach to secure the platform against multiple attack vectors, while maintaining usability.

Key points from WhatsApp’s response:

• Device fingerprinting is common across platforms and technologies.
• Inferring an OS usually has limited security impact without a zero-day exploit.
• OS inference is partly necessary for app optimization and user experience.
• The reported issues were deemed low severity and did not meet the CVE threshold.

Meta confirmed that Be’ery’s findings helped improve handling of invalid messages and bug bounty triage. Be’ery received a reward for his contributions.

Broader security context

Meta has also been actively fighting spyware threats targeting WhatsApp. This includes disrupting attacks, collaborating with researchers, raising user awareness, and taking legal action. Notably, Meta won a lawsuit against NSO Group, the spyware maker behind Pegasus, which has been ordered to stop hacking WhatsApp and pay damages.

While device fingerprinting alone is not considered a critical vulnerability, the updates by Meta are a first step toward fully randomizing key IDs across all platforms, potentially closing the privacy gap.