Security Researcher Uncovers Four WhatsApp Vulnerabilities at Recon Montreal 2025

Montreal, Quebec – Mobile security researcher Luke McLaren, known as @datalocaltmp, recently unveiled four distinct vulnerabilities in WhatsApp across multiple platforms during his highly anticipated talk at Recon Montreal 2025. McLaren's presentation detailed bugs ranging from remote corruption to logic flaws, impacting iOS, Android, and macOS versions of the popular messaging application.McLaren's research highlighted that while these vulnerabilities were not "0-click RCE" (Remote Code Execution), they involved significant remote corruption and "funny logic bugs." The findings were initially teased by McLaren, who expressed excitement for his talk, stating, "If you're excited to see the WhatsApp bug thrown @thezdi - free to watch my talk from @reconmtl 2025 on 4 remote bugs I discovered last year!"Among the disclosed vulnerabilities was a URL validation flaw affecting iOS, which could redirect users to external sites without clear indication. Another significant bug involved an XMPP parsing issue that led to native out-of-bounds accesses within the PJSIP component, impacting all platforms where WhatsApp operates. This particular flaw could cause application crashes.Additionally, McLaren exposed a logic bug on Android that permitted unauthorized video streams during group voice chats, raising privacy concerns. The fourth bug, a use-after-free vulnerability in WhatsApp's media thread, primarily affected macOS and older iOS versions, demonstrating the cross-platform nature of some underlying code issues. WhatsApp has since patched these vulnerabilities, with some fixes implemented server-side due to unencrypted offer stanzas.