GOOD MORNING: WhatsApp caught & fixed a sophisticated zero click attack...
They just published an advisory about it.
Say attackers combined the exploit with an Apple vulnerability to hack a specific group of targets (i.e. this wasn't pointed at everybody)
That's a CROSS-APP exploit chain. Which is fancy. We'll discuss in a second.
But wait, you say, haven't I heard of WhatsApp zero-click exploits not so long ago?
You have.
A big user base makes a platform big target for exploit development.
Attacker's perspective = an exploit against a popular messenger gives you potential access to a lot of devices.
The regular tempo of large platforms catching sophisticated exploits is a good sign.
They're paying attention & devoting resources to a growing category: highly targeted, sophisticated attacks.
But it's also a reminder of the magnitude of the threat.
Here's the Apple CVE.
Somewhere, earlier this summer, some people in a room probably had a bad day when this clever cross-app chain stopped working.
The cross- app chain = probably also a sign of the increasing tech lift required to get to device compromise. Consequence of various mitigations.
The cost-to-compromise is only going up. Which is arguably a sign that the increasing scrutiny + efforts by platforms & OS developers is having an impact.
That said, the threat of this stuff is going nowhere because there's an infinite governmental appetite for compromise.
Still, I'd argue that increasing costs of zero-clicks has the effect of pricing out a bunch of potential actors which slows the proliferation of this tech to *some* bad actors.
WhatsApp Advisory: 
Apple Advisory:
That's a CROSS-APP exploit chain. Which is fancy. We'll discuss in a second.
But wait, you say, haven't I heard of WhatsApp zero-click exploits not so long ago?
You have.
A big user base makes a platform big target for exploit development.
Attacker's perspective = an exploit against a popular messenger gives you potential access to a lot of devices.
The regular tempo of large platforms catching sophisticated exploits is a good sign.
They're paying attention & devoting resources to a growing category: highly targeted, sophisticated attacks.
But it's also a reminder of the magnitude of the threat.
Here's the Apple CVE.
Somewhere, earlier this summer, some people in a room probably had a bad day when this clever cross-app chain stopped working.
The cross- app chain = probably also a sign of the increasing tech lift required to get to device compromise. Consequence of various mitigations.
The cost-to-compromise is only going up. Which is arguably a sign that the increasing scrutiny + efforts by platforms & OS developers is having an impact.
That said, the threat of this stuff is going nowhere because there's an infinite governmental appetite for compromise.
Still, I'd argue that increasing costs of zero-clicks has the effect of pricing out a bunch of potential actors which slows the proliferation of this tech to *some* bad actors.
WhatsApp Advisory: WhatsApp.com
Avisos de segurança do WhatsApp 2025
Avisos de segurança do WhatsApp 2025: lista de correções de segurança para os produtos do WhatsApp.
Apple Support
About the security content of iOS 18.6.2 and iPadOS 18.6.2 - Apple Support
This document describes the security content of iOS 18.6.2 and iPadOS 18.6.2.
If only they'd put that money into BTC those labs where I slaved away as an undergrad would be humming.
Source: 
I'm in puzzled wonderment at this claim.
Preventing ad-blocking would be a huge blow to German cybersecurity and privacy.
There are critical security & privacy reasons to influence how a websites code gets displayed.
Like stripping out dangerous code & malvertising.
Hacking risks from the online advertising are documented.
Any attempt to force Germans to run all of the code on a website without consideration for their privacy and security rights and needs will end very, very poorly.
Defining HTML/CSS as a protected computer program will quickly lead to absurdities touching every corner of the internet.
Just think of the potential infringements:
-Screen readers for the blind
-'Dark mode' bowser extensions
-Displaying snippets of code in a university class
-Inspecting & modifying code in your own browser
-Website translators
Or blocking unwanted trackers.
This is why most governments do it on their systems.
I'm not a lawyer, but if Axel Springer wins the consequences are just nuts:
Basic stuff like bookmarking & saving a local copy of a website might be legally risky.
The Wayback Machine & internet archives and libraries might be violators.
This might even extend to search engines displaying excerpts of sites.
Code sharing sites like GitHub could become a liability minefield...
The list goes on and on.
Finally, only one country has banned ad-blockers. China.
This is not good company for Germany.
READ MORE: From Mozilla 
While there was strong activist pressure here the key push came from the US government.
But there is zero rest for the weary as the UK has been leaning much harder into Age Verification.
Which is another mechanism for gaining deep visibility into peoples online activity.
Story: 
And their companies will get hit with fat breaches.
Me? I'm waiting for attackers to figure out how to reliably slip backdoors into vibecoded outputs at scale.
Via FT: 
Restricts spyware to serious cases.
Interesting development.
Court says: capturing data at the source (i.e. on someone's phone) is maximally invasive.
Especially given how much of our lives happens online.
They also surface the security risks to systems from this kind of surveillance.
Watching Germany's highest court grapple with spyware's invasiveness & rights violations is instructive.
States wielding spyware without robust legal limitations and tight judicial oversight... are almost guaranteed to be violating their citizens' basic rights.
In so many jurisdictions, state secrecy & lack of effective legal challenges means spyware harms happening daily
Huge credit to German digital freedoms organization #digitalcourage
for bringing this case.
Court statement:
Mandated microphones in private spaces are a bad idea.
Throwing invasive sensors into private spaces rarely fixes socially scary problems.
But is almost guaranteed to have risky downsides. 
Story: 
Story:
