DNGerousLINK <br />A Deep Dive into #WhatsApp #0-Click #Exploits on iOS and Samsung Devices <br /><br />#DNGerousLINK, <br />#WhatsAppExploit, <br />#ZeroClick, <br />#RCEMobile, <br />#CVE202555177, <br />#CVE202543300, <br />#DNGVulnerability, <br />#ZeroDay, <br />#SecurityFlaw, <br />#BufferOverflow, <br />#WhatsAppSecurity, <br />#iOSSecurity, <br />#iPhoneHacks, <br />#AndroidSecurity, <br />#SamsungKnox, <br />#MobileSecurity, <br />#SmartphoneSafety, <br />#AppleNews, <br />#SamsungSecurity, <br />#CyberSecurity, <br />#Infosec, <br />#ITSecurity, <br />#CyberSicherheit, <br />#HackingNews, <br />#DataPrivacy, <br />#Datenschutz, <br />#TechNews, <br />#BreakingNews, <br />#Tutorial, <br />#TechAlert, <br />#CyberAttack, <br />#OnlineSafety, <br />#SoftwareUpdate, <br />#Hacker, <br /><br />39c3-1700-eng-deu-DNGerousLINK_A_Deep_Dive_into_WhatsApp_0-Click_Exploits_on_iOS_and_Samsung_Devices_webm-hd <br /><br />The spyware attack targeting WhatsApp, disclosed in August as an in-the-wild exploit, garnered significant attention. By simply knowing a victim's phone number, an attacker could launch a remote, zero-interaction attack against the WhatsApp application on Apple devices, including iPhones, iPads, and Macs. Subsequent reports indicated that WhatsApp on Samsung devices was also targeted by similar exploits. <br /><br />In this presentation, we will share our in-depth analysis of this attack, deconstructing the 0-click exploit chain built upon two core vulnerabilities: CVE-2025-55177 and CVE-2025-43300. We will demonstrate how attackers chained these vulnerabilities to remotely compromise WhatsApp and the underlying iOS system without any user interaction or awareness. Following our analysis, we successfully reproduced the exploit chain and constructed an effective PoC capable of simultaneously crashing the target application on iPhones, iPads, and Macs. <br /><br />To deconstruct this critical and stealthy in-the-wild 0-click exploit chain, we will detail our findings in several parts: <br />1. WhatsApp 0-Click Attack Vector (CVE-2025-55177). We will describe the 0-click attack surface we identified within WhatsApp. We will detail the flaws in WhatsApp's message handling logic for "linked devices," which stemmed from insufficient validation, and demonstrate how an attacker could craft malicious protocol messages to trigger the vulnerable code path. <br />2. iOS Image Parsing Vulnerability (CVE-2025-43300). The initial exploit allows an attacker to force the target's WhatsApp to load arbitrary web content. We will then explain how the attacker leverages this by embedding a malicious DNG image within a webpage to trigger a vulnerability in the iOS image parsing library. We will analyze how the RawCamera framework handles the parsing of DNG images, and pinpoint the resulting OOB vulnerability. <br />3. Rebuilding the Chain: From Vulnerability to PoC. In addition, we will then walk through our process of chaining these two vulnerabilities, constructing a functional Proof-of-Concept (PoC) that can simultaneously crash the WhatsApp application on target iPhones, iPads, and Macs. <br /><br /><br />In diesem Video analysieren wir den kritischen DNGerousLINK WhatsApp Exploit. <br />
