2025-06-28 –, Grand Salon
This talk explores three separate vulnerabilities uncovered in WhatsApp across multiple platforms - iOS, Android, and MacOS - affecting both end-to-end encrypted messaging and calling features. I’ll walk through each bug, including a URL validation flaw (iOS), an XMPP parsing bug leading to native vulnerabilities in PJSIP (all platforms), and a logic issue that allowed unauthorized video streams during group voice chats (Android).
Attendees will get a deep dive into WhatsApp’s architecture, including cross-platform compilation quirks and native XMPP signaling. The talk will also cover reverse engineering strategies and practical bug-hunting methodologies for complex mobile apps.
In this talk, we dive deep into the internals of WhatsApp’s messaging and calling systems across Android, iOS, and MacOS. I’ll walk through three bugs found in production builds of WhatsApp: an event URL validation flaw allowing redirection via "Join Call" messages, an XMPP capabilities data parsing bug leading to native out-of-bounds accesses in PJSIP, and a signalling abuse that enabled unauthorized video streams during group voice chats.
We’ll start with a comprehensive overview of WhatsApp’s architecture - covering cross-compilation practices, calling architecture, and E2EE messaging crystallographic functions. From there, we move into a detailed breakdown of each bug:
• How each vulnerability was discovered,
• How the bugs manifest differently across platforms,
• Full proof-of-concept demonstrations (including crash videos and call manipulation examples), and
• Reverse engineering approaches for binary analysis and live message/signalling interception using tools like Frida.
The presentation will feature a substantial amount of original proof-of-concept material - including videos capturing live exploitation scenarios and practical reverse engineering workflows - ensuring attendees get a direct, unfiltered look at the attack surfaces and bug classes in WhatsApp’s complex ecosystem.
Luke McLaren (@datalocaltmp) is a mobile security researcher focused on reverse engineering and bug hunting in large-scale messaging platforms. He shares his work publicly under the handle @datalocaltmp and runs his blog at s11research.com, a resource hub for dissecting mobile apps.
Luke’s research has uncovered vulnerabilities in Meta’s products including WhatsApp, Messenger, and Quest, with a focus on the native code, encryption layers, and signaling logic that power real-world communications.