All news with #meta tag

WhatsApp flaw allowed discovery of 3.5B registered numbers

🔍 Researchers from the University of Vienna and SBA Research found a flaw in WhatsApp's contact discovery that let them enumerate valid numbers globally, confirming about 3.5 billion registered accounts. By abusing the lookup mechanism they could probe numbers across 245 countries at rates exceeding 100 million checks per hour from a single IP. The technique also exposed public (non-private) keys, timestamps, profile photos and About text, enabling inference of device OS, account age and linked secondary devices, prompting Meta to add rate limits and tighter visibility rules.

Meta Expands WhatsApp Security Research Effort

🛡️ Meta has provided selected long‑time bug bounty researchers with a new tool, WhatsApp Research Proxy, to streamline analysis of WhatsApp's network protocol and reduce barriers to in‑depth research. The company is also running a pilot that invites research teams to focus on platform abuse with internal engineering and tooling support. Meta said it has paid more than $25 million to over 1,400 researchers in 15 years and recently added anti‑scraping protections after a study showed an account‑enumeration technique able to map billions of users.

ShadowMQ Deserialization Flaws in Major AI Inference Engines

⚠️ Oligo Security researcher Avi Lumelsky disclosed a widespread insecure-deserialization pattern dubbed ShadowMQ that affects major AI inference engines including vLLM, NVIDIA TensorRT-LLM, Microsoft Sarathi-Serve, Modular Max Server and SGLang. The root cause is using ZeroMQ's recv_pyobj() to deserialize network input with Python's pickle, permitting remote arbitrary code execution. Patches vary: some projects fixed the issue, others remain partially addressed or unpatched, and mitigations include applying updates, removing exposed ZMQ sockets, and auditing code for unsafe deserialization.

Phishing Campaign Uses Meta Business Suite to Target SMBs

📨 Check Point email security researchers uncovered a large-scale phishing campaign that abuses Meta's Business Suite and the facebookmail.com delivery domain to send convincing fake notifications. Attackers craft messages that appear to originate from Meta, allowing them to bypass many traditional security filters and increase the likelihood of SMBs across the U.S. and internationally engaging with malicious links or credential-stealing pages. Organizations should strengthen email defenses, monitor suspicious Business Suite activity, and educate staff to reduce exposure.

WhatsApp Adds Passwordless Passkey Chat Backups now

🔒 WhatsApp is rolling out passkey-encrypted chat backups on iOS and Android, allowing users to secure backups with biometrics or a device screen lock instead of a password. Passkeys rely on a device-generated private/public key pair so the private key never leaves the device, reducing exposure to credential theft. Users can enable the feature under Settings > Chats > Chat backup > End-to-end encrypted backup. Meta has begun a global rollout that will reach users over the coming weeks and months.

Hackers Earn $1,024,750 for 73 Zero‑Days at Pwn2Own Ireland

🛡️ Pwn2Own Ireland 2025 concluded in Cork with security researchers awarded $1,024,750 after demonstrating 73 zero-day vulnerabilities across eight product categories. Targets included printers, network-attached storage, messaging apps, smart home and surveillance devices, home networking gear, flagship phones (iPhone 16, Galaxy S25, Pixel 9) and wearables. The contest expanded the attack surface to include USB port exploitation on locked mobile handsets while retaining Bluetooth, Wi‑Fi and NFC vectors. Summoning Team topped the leaderboard with $187,500 and 22 Master of Pwn points.

WhatsApp $1M Zero-Click Hack Mystery: Pwn2Own Outcome

🔐 A high-profile entry by a hacker known as ‘Eugene’ at Pwn2Own Ireland 2025 withdrew a claimed zero-click remote code execution exploit targeting WhatsApp, forfeiting the event’s $1 million top prize. Organizers Trend Micro ZDI say Team Z3 is sharing findings privately for coordinated disclosure to Meta, while WhatsApp reports no viable exploit was publicly demonstrated. The cancellation has fueled speculation about exploit readiness and underscores the role of responsible disclosure and rigorous triage before public demonstrations.

Meta launches new anti-scam tools for WhatsApp, Messenger

🛡️ Meta is rolling out new anti-scam features for Messenger and WhatsApp to help users detect and avoid fraud. Messenger testing includes AI-assisted scam detection that warns about suspicious new contacts and offers options to block, report, or submit messages for review. WhatsApp will display warnings about screen-sharing with unknown callers. These protections are enabled by default.

Meta Adds Scam Warnings to WhatsApp and Messenger Apps

🔒 Meta is rolling out new anti-scam features for WhatsApp and Messenger. On WhatsApp, users will receive warnings when attempting to share their screen with unknown contacts during video calls to help prevent accidental exposure of bank details or verification codes. On Messenger, an opt-in Scam detection setting flags potentially suspicious messages from unknown senders; detection runs on-device to preserve end-to-end encryption unless users choose to submit recent messages for AI review, which removes E2EE. Meta also said it has taken action against thousands of impersonating pages and disrupted millions of accounts tied to organized scam centers.

Class Action in Germany Targets Meta over 2021 Facebook Leak

⚖️ A German consumer association has launched a model declaratory action against Meta after data from more than 530 million Facebook users was posted on the dark web in April 2021. The Federation of German Consumer Organisations argues Meta failed to protect user data and to inform affected people adequately. Plaintiffs seek tiered compensation of €100–€600 and the Hanseatic Higher Regional Court will first address jurisdictional and formal matters in the hearing.

Singapore Threatens Meta With Fines Over Facebook Scams

🛡️ The Singapore Police Force has issued an implementation directive under the Online Criminal Harms Act requiring Meta to implement enhanced facial recognition for Singapore users and to prioritise review of local scam reports by September 30. The Ministry of Home Affairs said Facebook was the primary platform for government impersonation scams between June 2024 and June 2025, and the SPF disrupted about 2,000 problematic ad schemes on Meta. If Meta fails to comply without a reasonable excuse it faces a S$1m fine and daily penalties after conviction.

WhatsApp Adds Message Translation to iPhone and Android

🌐 WhatsApp has begun rolling out a new message translation feature for Android and iPhone that translates messages in chats, groups, and channel updates. On iOS, users can translate individual messages via long-press and tapping 'Translate', while Android users can also enable automatic translation to convert all messages in a thread. Initial language support differs by platform and the rollout will be gradual.

Former Meta Lobbyist Named to Ireland's DPC, Concerns

⚖️ The Irish government has appointed Niamh Sweeney as a member of the Data Protection Commission, the authority that leads EU oversight of major technology companies. The appointment has drawn strong criticism from privacy organization Noyb, which highlights Sweeney’s previous role as a lobbyist for Meta. Critics, including Max Schrems, argue this raises questions about impartiality and potential regulatory capture. As recently as December, the DPC fined Meta €251 million for breaches of GDPR, a fact cited by opponents of the appointment.

CrowdStrike Secures AI Across the Enterprise with Partners

🔒 CrowdStrike describes how the Falcon platform delivers unified visibility and lifecycle defense across the full AI stack, from GPUs and training data to inference pipelines and SaaS agents. The post highlights integrations with NVIDIA, AWS, Intel, Dell, Meta, and Salesforce to extend protection into infrastructure, data, models, and applications. It also introduces agentic defense via Charlotte AI for autonomous triage and rapid response, and emphasizes governance controls to prevent data leaks and adversarial manipulation.

On-demand deployment for custom Meta Llama models on Bedrock

🚀 Amazon Bedrock now offers an on-demand deployment option for customized Meta Llama 3.3 models that have been fine-tuned or distilled in Bedrock; models customized on or after September 15, 2025 are eligible. The feature lets customers process requests in real time and pay only for consumed compute, removing the need for pre-provisioned always-on resources. Bedrock continues to provide a managed platform with built-in security, privacy, and responsible AI capabilities.

Samsung patches actively exploited zero-day in image codec

🔒 Samsung has released a patch for a critical remote code execution vulnerability tracked as CVE-2025-21043 that was actively exploited on Android devices. Reported by Meta and WhatsApp security teams on August 13, the flaw stems from an out-of-bounds write in libimagecodec.quram.so, a closed-source Quramsoft image parser, and affects devices running Android 13 and later. Samsung’s advisory notes an exploit was observed in the wild and that other messaging apps using the vulnerable library could also be at risk; users should apply the September SMR update promptly.

Malicious Browser Extensions Target Meta Advertisers

🔒 Researchers disclosed two coordinated campaigns that distribute fake browser extensions via malvertising and counterfeit sites to steal credentials, session tokens, and hijack Meta business accounts. Bitdefender documented ads pushing a fake "Meta Verified" add‑on named SocialMetrics Pro that harvests Facebook session cookies and exfiltrates them to a Telegram bot while also querying ipinfo[.]io for IP data. Cybereason described a separate campaign using counterfeit sites promoting a bogus Madgicx Plus platform and multiple rogue Chrome extensions that request broad site access, capture Google identity data, then pivot to Facebook to facilitate account takeover.

Brokewell Android Malware Spread via Fake TradingView Ads

⚠️Cybercriminals are abusing Meta advertising to distribute a malicious Android app impersonating TradingView Premium. Bitdefender says the campaign, active since at least July 22, redirects Android users to a counterfeit site that serves a trojanized tw-update.apk and requests accessibility rights while simulating an OS update to capture PINs. The installed Brokewell variant escalates privileges to exfiltrate credentials and 2FA codes, hijack SMS, record screens and audio, and accept remote commands for theft and device control.

WhatsApp Emergency Update Fixes Zero-Click iOS/macOS Bug

🔒 WhatsApp has issued emergency updates for iOS and macOS to fix CVE-2025-55177, a high-severity authorization flaw that may have been exploited alongside an Apple ImageIO zero-day (CVE-2025-43300). The bug could allow processing of content from an arbitrary URL on a target device and affects specific iOS, Business iOS, and Mac app versions. Users are urged to update immediately; confirmed targets were advised to perform a full factory reset.

Instagram Friend Map Risks: Privacy and Physical Safety

⚠️ Meta’s new Friend Map feature on Instagram is framed as an opt-in way to see friends’ locations and shared hangouts, but it raises serious privacy and safety concerns. Enabling the map can expose precise real‑time or habitual location data that bad actors could exploit for stalking, targeted harassment, or profiling. The feature blurs digital privacy and physical security, so users should carefully review settings, limit audiences, or decline participation if concerned about their safety.