Bill takes thoughtful look at the transition from summer camp to grind season, explores the importance of mental health and reflects on AI psychiatry.

Thursday, September 4, 2025 14:02

Welcome to this week’s edition of the Threat Source newsletter. 

_This is the way the world ends_   
_This is the way the world ends_   
_This is the way the world ends_   
_Not with a bang but a whimper._ – T.S. Eliot 

So this is how Summer Camp 2025 ends, not with a bang but a whimper. We’ve put the summer behind us and are moving on to the next phase of the year, where we all put our noses down and grind from here to the holiday season. Happy Grind Season 2025.

As you know, threat research never takes a day off, but I’m going to step in and remind you all to look at your calendars. Decide, here and now, to take some time before that holiday season so that you can take care of your mental health, because mental health _is_ health.

This is doubly important if you lead a team of people. Take a minute and make sure that they are going to do the same. Ensure your entire team is taking care of themselves. In the end, you will all be better for it. 

Since we are on the subject of mental health, I don’t know if anyone else has read this paper (Psychopathia Machinalis: A Nosological Framework for Understanding Pathologies in Advanced Artificial Intelligence), but I found it truly fascinating. It’s one of the things we, as security practitioners, need to be cognizant of as we go forward with our AI tooling and efforts to protect against AI threats.  

_"As artificial intelligence (AI) systems attain greater autonomy and complex environmental interactions, they begin to exhibit behavioral anomalies that, by analogy, resemble psychopathologies observed in humans."_  

The behavior of an evolving AI, and the psychosis it could present, is a touch-point to the long-standing problematic internal employee. This creates an interesting dynamic for defense and strategies within the evolving internal landscape.  

I think understanding this presented framework can go a long way in identifying the types of behaviors that lead to malicious activity — not unlike understanding employee behavior. Stay ahead of the curve and prepare for not only a hallucinated package from an internal AI tool but perhaps a revelation that leads to new and interesting malicious behaviors.

**The one big thing **

In the latest episode of The Talos Threat Perspective, we explore three vulnerabilities that Talos researchers uncovered (and helped to fix) this year which highlight how attackers are pushing past the boundaries defenders rely on. One lived in the security chip within Dell laptops’ firmware, another in Microsoft Office for macOS permissions and the third in small office/home routers. 

**Why do I care? **

These aren’t just isolated issues. The Dell vulnerability showed that even a clean Windows reinstall isn’t always enough to kick out an attacker. The Office for macOS issue demonstrated how adversaries can “borrow” sensitive permissions like microphone access from trusted apps. And compromised routers allowed attackers to blend in with legitimate ISP traffic, making malicious connections hard to spot. Each case reveals current attacker creativity levels. 

**So now what? **

Take a closer look at the research:

*   Watch the full Talos Threat Perspective episode here: TTP Ep14: Persistence, Privilege & Camouflage 
*   Read Philippe’s blog on the Dell firmware vulnerabilities: Revault: When your SOC turns against you

**Top security headlines of the week **

**TransUnion says hackers stole 4.4 million customers’ personal information**   
TransUnion is one of the largest credit reporting agencies in the United States, and stores the financial data of more than 260 million Americans. They confirmed that the stolen PII includes customers’ names, dates of birth, and Social Security numbers. (TechCrunch) 

**Google warns that mass data theft hitting Salesloft AI agent has grown bigger**   
Google is advising users of the Salesloft Drift AI chat agent to consider all security tokens connected to the platform compromised following the discovery that unknown attackers used some of the credentials to access email from Google Workspace accounts. (Ars Technica) 

**High-severity vulnerability in Passwordstate credential manager**    
Passwordstate is urging companies to promptly install an update fixing a high-severity vulnerability that hackers can exploit to gain administrative access to their vaults. (Ars Technica) 

**JSON config file leaks Azure ActiveDirectory credentials**   
A publicly accessible configuration file for ASP.NET Core applications has been leaking credentials for Azure ActiveDirectory (AD), potentially allowing cyberattackers to authenticate directly via Microsoft's OAuth 2.0 endpoints and infiltrate Azure cloud environments. (Dark Reading)

**WhatsApp zero-day exploited in attacks targeting Apple users**   
Tracked as CVE-2025-55177 (CVSS score of 5.4), an attacker could have exploited the issue to trigger the processing of content from arbitrary URLs, on the victims’ devices, WhatsApp’s advisory reads. (SecurityWeek)

**Can’t get enough Talos?**

**Cisco: 10 years protecting Black Hat**   
Cisco works with other official providers to bring the hardware, software and engineers to build and secure the Black Hat USA network: Arista, Corelight, Lumen, and Palo Alto Networks.

**Tales from the Black Hat NOC**   
How do you build and defend a network where attacks are not just expected, but a part of the curriculum? Hazel sits down with Jessica Oppenheimer to learn more.

**Static Tundra exposed**   
A Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide.

**Upcoming events where you can find Talos **

*   BlueTeamCon (Sept. 4 – 7) Chicago, IL 
*   LABScon (Sept. 17 – 20) Scottsdale, AZ 
*   VB2025 (Sept. 24 – 26) Berlin, Germany

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**  
MD5: 85bbddc502f7b10871621fd460243fbc  
VirusTotal: https://www.virustotal.com/gui/file/41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610/details  
Typical Filename: N/A  
Claimed Product: Self-extracting archive  
Detection Name: Win.Worm.Bitmin-9847045-0 

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**     
MD5: 2915b3f8b703eb744fc54c81f4a9c67f     
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Typical Filename: VID001.exe     
Claimed Product: N/A     
Detection Name: Win.Worm.Coinminer::1201  

**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**    
MD5: 8c69830a50fb85d8a794fa46643493b2     
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0   
Typical Filename: AAct.exe     
Claimed Product: N/A     
Detection Name: PUA.Win.Dropper.Generic::1201 

**SHA 256: 186aa2c281ca7bb699ce0b48240b7559a9ac5b0ba260fb78b81ec53249548f62**   
MD5: bfc168a01a2b0f3cd11bf4bccd5e84a1   
VirusTotal: https://www.virustotal.com/gui/file/186aa2c281ca7bb699ce0b48240b7559a9ac5b0ba260fb78b81ec53249548f62   
Typical Filename: PDFSkills\_Updater.exe   
Claimed Product: PDF Skills   
Detection Name: Win64.Application.Agent.W2MG0A 

**SHA 256: 83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08**    
MD5: 906282640ae3088481d19561c55025e4    
VirusTotal: https://www.virustotal.com/gui/file/83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08    
Typical Filename: AAct\_x64.exe    
Claimed Product: N/A    
Detection Name: PUA.Win.Tool.Winactivator::1201

From summer camp to grind season

CISA updates its KEV List with TP-Link Wi-Fi extender and WhatsApp spyware flaws, urging users and agencies to…

CISA updates its KEV List with TP-Link Wi-Fi extender and WhatsApp spyware flaws, urging users and agencies to patch risks before exploitation spreads.

The Cybersecurity and Infrastructure Security Agency (CISA) has recently added two significant security vulnerabilities to its official list of known exploited flaws. For your information, this catalogue is a list of vulnerabilities that have been actively used by malicious actors.

****High-Severity Flaw in TP-Link Extender****

First on the list is a high-severity flaw in a TP-Link Wi-Fi Range Extender, the model TL-WA855RE. This serious issue, tracked as CVE-2020-24363, has a score of 8.8 out of 10. The problem is a “missing authentication” flaw, which means an attacker can get high-level access to the device.

Cybersecurity firm MalwareForensics stated that a fix was issued, which is available here, but please note, this model has reached its “end-of-life” status. This means the manufacturer is no longer providing updates or support, making it an ongoing security risk. Users of this specific range extender are advised to switch to a newer model to ensure their network remains secure.

****WhatsApp Targeted by Spyware****

A second, less severe but still concerning, vulnerability has been found in WhatsApp. This flaw, assigned CVE-2025-55177 with a score of 5.4, was reportedly used in a highly-targeted spyware campaign. The issue stems from “incomplete authorisation” for messages synced with linked devices.

The attackers used this vulnerability in combination with a separate flaw in Apple’s iOS, iPadOS, and macOS operating systems, identified as CVE-2025-43300, as reported by _Hackread.com_ on August 31, 2025.

The vulnerability affected several versions of the application, including WhatsApp for iOS before version 2.25.21.73, WhatsApp Business for iOS before version 2.25.21.78, and WhatsApp for Mac before version 2.25.21.78. WhatsApp announced it sent in-app warnings to under 200 users who may have been specifically targeted by the campaign.

****What To Do****

These vulnerabilities are considered a serious risk to the public and private sectors. While the CISA’s catalogue is primarily a guide for US federal agencies, the agency strongly urges all organisations, and even individual users, to take these risks seriously. The government’s Binding Operational Directive (BOD) 22-01 mandates that federal agencies fix these issues promptly. This includes prioritising and fixing these vulnerabilities to protect against potential cyberattacks.

The inclusion of these flaws in the CISA catalogue prompted reactions from cybersecurity experts, highlighting the broader implications for both businesses and individuals.

Randolph Barr, Chief Information Security Officer at Cequence Security, points out that the TP-Link issue is often tied to home workers. He states that employees “turn to consumer extenders as a cheap and easy way to fix Wi-Fi dead zones,” but these devices often have weak security and are rarely updated. For him, the vulnerability on the KEV list is a reminder that “unmanaged consumer gear can quietly extend your attack surface if not addressed.”

CISA Adds TP-Link Wi-Fi and WhatsApp Spyware Flaws to KEV List

Jaguar Land Rover is restoring systems after a cyberattack disrupted production and sales, with a hacker group previously…

Jaguar Land Rover is restoring systems after a cyberattack disrupted production and sales, with a hacker group previously linked to the M&S data breach claiming responsibility for the breach.

Jaguar Land Rover (JLR ) has confirmed it is recovering from a major cyber incident that forced parts of its global operations offline. Production lines and retail systems were disrupted after the company decided to shut down its IT environment as a containment measure.

The disruption meant dealers could continue selling vehicles already in stock, but were unable to register new cars for customers. Reports from staff and partners described significant delays, with some systems still being restored days later. JLR said it is working through a phased restart and that there is no evidence of customer data being compromised.

The hacker group connected to the Marks & Spencer data breach is stepping forward and claiming responsibility for the attack on Jaguar Land Rover. On a Telegram channel tied to collectives such as Scattered Spider, Lapsus$, and ShinyHunters, the group known as “Rey” posted a screenshot showing internal hostnames from JLR systems, giving credibility to the claim.

Analysts note that the screenshot aligns with the nature of an exploit revealed on Telegram earlier: a combination of two SAP NetWeaver vulnerabilities (CVE‑2025‑31324 and CVE‑2025‑42999), chained to gain administrative access and execute commands. While JLR has not verified the authenticity of these claims, the evidence suggests the attackers may be exploiting a sophisticated, multi-stage technical approach to breach the systems.

“This cyberattack isn’t just an operational setback. It is a revenue issue across the entire chain. Data suggests every hour of downtime in the automotive sector could cost upwards of £1.6M. Every day of halted production means fewer cars to sell, while dealers are losing immediate income from being unable to register or deliver vehicles, explained Tim Grieveson, CISO at ThingsRecon.

“For JLR, the priority is to quantify and communicate the financial exposure quickly, both in terms of missed sales and delayed cash flow. For dealers, the focus should be on customer management, which means keeping buyers informed, identifying potential data breaches that could feed down the chain, and pushing for contingency support from the manufacturer. The real risk is longer-term damage to customer confidence if remediation isn’t swift and transparent,” stressed Tim.

While JLR has not shared details on the exact number of sites affected or how long full recovery will take, it confirmed that systems are coming back online in stages. The company said in a press release that its teams, along with external cybersecurity specialists, are continuing investigations.

The incident shows how cyberattacks are no longer isolated IT problems but events that can disrupt production, revenue, and brand reputation across an entire sector. For automakers like JLR, the pressure is now on to restore operations quickly while reassuring both customers and partners that the road ahead is secure.

Jaguar Land Rover Cyberattack Disrupts Production and Sales Operations

A "sophisticated" attack that also exploits an Apple zero-day flaw is targeting a specific group of iPhone users, potentially with spyware.

WhatsApp Bug Anchors Targeted Zero-Click iPhone Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a high-severity security flaw impacting TP-Link TL-WA855RE Wi-Fi Ranger Extender products to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability, CVE-2020-24363 (CVSS score: 8.8), concerns a case of missing authentication that could be abused to obtain

Vulnerability / Mobile Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a high-severity security flaw impacting TP-Link TL-WA855RE Wi-Fi Ranger Extender products to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability, CVE-2020-24363 (CVSS score: 8.8), concerns a case of missing authentication that could be abused to obtain elevated access to the susceptible device.

"This vulnerability could allow an unauthenticated attacker (on the same network) to submit a TDDP\_RESET POST request for a factory reset and reboot," the agency said. "The attacker can then obtain incorrect access control by setting a new administrative password."

According to malwrforensics, the issue has been fixed with firmware version TL-WA855RE(EU)\_V5\_200731. However, it bears noting that the product has reached end-of-life (EoL) status, meaning it's unlikely to receive any patches or updates. Users of the Wi-Fi range extender are advised to replace their gear with a newer model that addresses the issue.

CISA has not shared any details on how the vulnerability is being exploited in the wild, by whom, or on the scale of such attacks.

Also added to the KEV catalog is a security flaw that WhatsApp disclosed last week (CVE-2025-55177, CVSS score: 5.4) as having been exploited as part of a highly-targeted spyware campaign by chaining it with an Apple iOS, iPadOS, and macOS vulnerability (CVE-2025-43300, CVSS score: 8.8).

Not much is known about who was targeted and which commercial spyware vendor is behind the attacks, but WhatsApp told The Hacker News that it sent in-app threat notifications to less than 200 users who may have been targeted as part of the campaign.

Federal Civilian Executive Branch (FCEB) agencies are advised to apply the necessary mitigations by September 23, 2025, for both the vulnerabilities to counter active threats.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

CISA Adds TP-Link and WhatsApp Flaws to KEV Catalog Amid Active Exploitation

Leaked ChatGPT chats reveal users sharing sensitive data, resumes, and seeking advice on mental health, exposing risks of…

Leaked ChatGPT chats reveal users sharing sensitive data, resumes, and seeking advice on mental health, exposing risks of oversharing with AI chatbots.

When thousands of ChatGPT conversations **appeared** online in August 2025, many people assumed the leak was technical. Instead, the real issue was human behaviour combined with confusing product design. A now-removed feature that allowed users to “make chats discoverable” had turned private conversations into public webpages, indexed by search engines for anyone to find.

Researchers at SafetyDetective analysed a dataset of 1,000 of these leaked conversations, totalling more than 43 million words. Their findings show that people are treating **AI tools** like therapists, consultants, and even confidants, often sharing information they would normally keep private.

Example of leaked ChatGPT chats on Google (Image via PCMag and Google)

****What People Are Sharing With ChatGPT****

Some of the content revealed in these conversations goes further than casual prompts. Users disclosed personally identifiable information such as full names, phone numbers, addresses, and resumes. Others spoke about sensitive topics, including suicidal thoughts, drug use, family planning, and discrimination.

The research also showed that a small fraction of conversations accounted for most of the data. Out of 1,000 chats, just 100 contained more than half of the total words analysed. One marathon conversation stretched to 116,024 words, which would take nearly two full days to type out at average human speed.

****Professional Advice or Privacy Risk?****

Nearly 60% of the flagged chats fell under what researchers categorised as “professional consultations.” Instead of calling a lawyer, teacher, or counsellor, users asked **ChatGPT** for guidance on education, legal issues, and even mental health. While this shows the trust people place in AI, it also highlights the risks when the chatbot’s responses are inaccurate or when private details are left exposed.

> _In one case, the AI mirrored a user’s emotional state during a conversation about addiction, escalating rather than de-escalating the tone._
> 
> Shipra Sanganeria – SafetyDetective

The **study** highlighted cases where users uploaded entire resumes or sought advice on mental health struggles. In one example, ChatGPT prompted someone to share their full name, phone numbers, and work history while generating a CV, exposing them to identity theft if the chat link was made public. In another case, the AI mirrored a user’s emotional state during a conversation about addiction, escalating rather than de-escalating the tone.

Top 20 Keywords

****Why This is a Serious Issue****

The incident points to two problems. First, many users did not fully understand that by making chats “discoverable,” their words could be crawled by search engines and made public. Second, the design of the feature made it too easy for private conversations to end up online.

On top of this, the study showed that ChatGPT often “**hallucinates**” actions, such as claiming it saved a document when it did not. These inaccuracies may seem normal in casual chats, but they become dangerous when people treat the AI as a reliable professional tool.

Another issue is that when conversations containing sensitive details are publicly available, they can be maliciously exploited. Personal information might be used in scams, identity theft, or doxxing. Even without direct PII, emotionally vulnerable exchanges could be misused in blackmail or harassment.

The researchers claim that **OpenAI** has never made strong privacy guarantees about how shared conversations are handled. While the feature responsible for this leak has been removed, the basic behaviour of users, treating AI like a safe confidant, remains unchanged.

**What Needs to Change**

SafetyDetective recommends two main actions. First, users should avoid putting sensitive personal details into chatbot conversations, no matter how private the interface feels. Second, AI companies need to make their warnings clearer and their sharing features more intuitive. Automatic redaction of PII before a chat is shared could prevent accidental leaks.

The researchers also called for more work on understanding user behaviour. Why do some people pour tens of thousands of words into a single chat? How often do users treat AI like therapists or legal experts? And what are the consequences of trusting a system that can mirror tone, generate misinformation, or fail to protect private data?

****Surprised? Don’t Be!****

These findings should not come as a surprise. Back in February 2025, _Hackread.com_ reported on a major **OmniGPT data breach** where hackers exposed highly sensitive information online.

The leaked dataset contained more than 34 million lines of user conversations with AI models such as ChatGPT-4, Claude 3.5, Perplexity, Google Gemini, and Midjourney, since OmniGPT combines several advanced models into a single interface.

Alongside the conversations, the breach also exposed around 30,000 user email addresses, phone numbers, login credentials, resumes, API keys, WhatsApp chat screenshots, police verification certificates, academic assignments, office projects, and much more.

What’s worse, OmniGPT did not even bother to respond or address the issue when alerted by _Hackread.com_. Tells you a lot about how little regard the company has for user privacy and security.

****The Main Thing****

Nevertheless, SafetyDetective’s analysis and ChatGPT chat leak are less about hacking or data breaches and more about people trusting AI with secrets they would hesitate to tell another person, and when those chats fall into the public domain, the consequences are immediate and personal.

Until AI platforms offer stronger privacy protections and people are more careful with what they share, it will be hard to tell the difference between a private chat and something that could end up public.

Leaked ChatGPT Chats: Users Treat AI as Therapist, Lawyer, Confidant

WhatsApp has patched a vulnerability that was used in conjunction with an Apple vulnerability in zero-click attacks.

WhatsApp says it has issued an update to patch a vulnerability that has been used in conjunction with an Apple vulnerability to target specific users and compromise their devices.

Reportedly, attackers used this exploit against dozens of WhatsApp users, and WhatsApp has notified those affected:

> “Our investigation indicates that a malicious message may have been sent to you through WhatsApp and combined with other vulnerabilities in your device’s operating system to compromise your device and the data it contains, including messages.
> 
>   
> While we don’t know with certainty that your device has been compromised, we wanted to let you know out of an abundance of caution so you can take steps to secure your device and information.”

WhatsApp advised the affected users to perform a full factory reset of their phone in order to make sure they are rid of the malware.

> “We’ve made changes to prevent this specific attack from occurring through WhatsApp. However, your device’s operating system could remain compromised by the malware or targeted in other ways.
> 
>   
> To best protect yourself, we recommend a full device factory reset. We also strongly urge you to keep your devices updated to the latest version of the operating system, and ensure that your WhatsApp app is up to date.”

According to the Amnesty International Security Lab, the vulnerability was part of a zero-click attack against both iPhone and Android users. A zero-click attack is a type of attack which allows the cybercriminals to break into devices or apps without the victim needing to click, tap, or respond to anything. Unlike classic scams that rely on tricking someone into clicking a sketchy link, zero-click threats can land on a device simply because an app receives a message or notification crafted to exploit a hidden flaw.

**Technical details**

The zero-click attack required two vulnerabilities.

For iOS and Mac users these vulnerabilities were tracked as CVE-2025-43300 and lie in the Image I/O framework, the part of macOS and iOS that an app needs to open or save a picture. The problem came from an out-of-bounds write. Apple stepped in and tightened the rules with better bounds checking, closing off the hole so attackers can no longer use it.

An out-of-bounds write vulnerability means that the attacker can manipulate parts of the device’s memory that should be out of their reach. Such a flaw in a program allows it to read or write outside the bounds the program sets, enabling attackers to manipulate other parts of the memory allocated to more critical functions. Attackers can write code to a part of the memory where the system executes it with permissions that the program and user should not have.

In this case, an attacker could construct an image to exploit the vulnerability.  Processing such a malicious image file would result in memory corruption. Attackers can exploit memory corruption flaws to crash important processes or execute their own code.

The second vulnerability, CVE-2025-55177 for WhatsApp users, is caused by incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 and could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.

**What to do**

The infection chain described in the security advisories from Apple and WhatsApp relies on two components: an Apple vulnerability (CVE-2025-43300) in the Image I/O framework and a WhatsApp vulnerability (CVE-2025-55177) that allowed the hijacking of devices by synchronizing messages.

Attackers exploited the Apple ImageIO bug via malicious image files, which is dangerous because this core library is used by multiple apps (not just WhatsApp) for opening and previewing pictures. In affected WhatsApp versions for iOS and Mac, the sync message bug could trigger arbitrary URL processing, creating a powerful combo for chaining exploits and compromising devices without any user action.

While Android users were mentioned among potential targets in advanced spyware campaigns reported by Amnesty, the most severe zero-click risk described applies only to Apple devices. For Android, the WhatsApp vulnerability may have exposed users to attacks, but not via the same chained infection vectors. As always, updating WhatsApp and enabling advanced security features (like Google Advanced Protection on Android) is highly recommended. So is using security protection on your devices.

If you’ve received one of the notifications from WhatsApp, we’d advise you to follow the instructions.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 WhatsApp fixes vulnerability used in zero-click attacks 

This guide gives step-by-step instructions how how to enable two-step verification for WhatsApp on Android, iOS, and iPadOS

Two step verification is the name Meta uses for what is generally referred to as Two-factor authentication (2FA). 2FA is not fool-proof, but it is one of the best ways to protect your accounts from hackers.

It adds an extra step when logging in, which is a small extra effort for you, but it dramatically boosts your security. WhatsApp 2FA, called Two-Step Verification, requires you to enter a PIN code when registering your phone number on a new device, stopping hackers even if they have your SMS code.

Here’s how to enable 2FA on WhatsApp for Android and iOS.

1.  Open WhatsApp.
2.  Go to **Settings** (you’ll see it if you tap the three dots, usually located in the upper right corner).
3.  Tap **Account**.
4.  Select **Two-step verification**.
5.  Tap **Enable**.
6.  Create a unique 6-digit PIN and confirm it.
7.  Optionally, you can add your email address to recover your PIN if you forget it.
8.  Tap **Save**.

Now, whenever you verify your phone number on WhatsApp and every so often when you open the app, you’ll need the 6-digit PIN.

**How to set up two-step verification for WhatsApp on iPhone or iPad**

1.  Open the WhatsApp app on your iPhone or iPad.
2.  Tap on **Settings** (the gear icon)
3.  Tap on **Account**.
4.  Select **Two-step verification**.
5.  Tap on **Turn on** or **Set up PIN** to begin.
6.  Enter a six-digit PIN of your choice, then enter it again to confirm it.
7.  Optionally, you can add your email address to recover your PIN if you forget it.
8.  Tap **Save** or **Done**.
9.  If you added an email, enter the verification code sent to that email to complete the process.

Now, whenever you verify your phone number on WhatsApp and every so often when you open the app, you’ll need the 6-digit PIN.

****Enable it today if you can****

Even the strongest password isn’t enough on its own. 2FA means a thief must have access to your an additional factor to be able to log in to your account, whether that’s a code on a physical device or a security key. In addition to your password, this makes an account takeover much harder.

We recommend you set up 2FA on all your important accounts, including messaging and social media accounts. Do it today if you get a chance: It only takes a few minutes but can save you from hours or even days of headaches later. It’s currently the best password advice we have.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 How to set up two-step verification on your WhatsApp account 

Cybersecurity today is less about single attacks and more about chains of small weaknesses that connect into big risks. One overlooked update, one misused account, or one hidden tool in the wrong hands can be enough to open the door.
The news this week shows how attackers are mixing methods—combining stolen access, unpatched software, and clever tricks to move from small entry points to large

⚡ Weekly Recap: WhatsApp 0-Day, Docker Bug, Salesforce Breach, Fake CAPTCHAs, Spyware App & More

WhatsApp has patched a critical 0-day (CVE-2025-55177) that allowed zero-click spyware attacks on iOS and Mac users. The…

WhatsApp has patched a critical 0-day (CVE-2025-55177) that allowed zero-click spyware attacks on iOS and Mac users. The flaw was used to steal data. Update your app now to stay protected.

WhatsApp has revealed it has patched a serious security vulnerability in its apps for Apple devices that was used to secretly compromise the iPhones and Macs of “specific targeted users.”

The bug, identified as CVE-2025-55177, was discovered by WhatsApp’s internal security team. The company explained in its official advisory that the flaw was part of a sophisticated attack chain that linked two separate vulnerabilities. This is a zero-click attack method, which does not require a victim to click on a link, open a file, or take any other action for their device to be compromised.

The flaw itself was a case of “incomplete authorisation of linked device synchronisation messages,” the advisory explains. This allowed an unrelated user to force a target’s device to process content from a malicious web address.

When paired with a separate Apple flaw, CVE-2025-43300 (which Apple had already fixed), in how it handles images, this attack chain could be used to install a malicious program and steal data without any user interaction. It is worth noting that the flaw affects WhatsApp for iOS before version 2.25.21.73, WhatsApp Business for iOS before version 2.25.21.78, and WhatsApp for Mac before version 2.25.21.78. WhatsApp confirmed it had sent notifications to “less than 200” users it believed had been affected.

According to a statement from the National Cybersecurity Agency (NCSA) in Qatar, the severity of this flaw lies in its mechanism for processing synchronisation messages between linked devices, which could allow a hacker to gain initial access to a victim’s device.

> #Meta, the owner of the famous chat app #WhatsApp, has announced the existence of a critical vulnerability in the app. The severity of this flaw lies in the mechanism for processing synchronization messages between linked devices, allowing an attacker to send a crafted… pic.twitter.com/dYIwdij0gP
> 
> — Qatar Tribune (@Qatar\_Tribune) August 30, 2025

Amnesty International’s Security Lab, led by Donncha Ó Cearbhaill, described the pair of bugs as an “advanced spyware campaign” that targeted users over the past 90 days, or since the end of May, and was capable of stealing data from a user’s device, including messages. In a post on X, Cearbhaill also shared necessary tips, advising people to update their devices or perform a factory reset.

(X.com)

While it’s not yet clear who is behind this latest attack, it is not the first time that WhatsApp users have been targeted by advanced spyware. In 2019, the messaging app sued the spyware maker NSO Group for a hacking campaign that compromised more than 1,400 users with its Pegasus spyware. A US court later ordered the company to pay WhatsApp $167 million in damages.

This new incident shows the ongoing threat of government spyware and malware. It also emphasises why users should always keep their apps and operating systems updated, as these updates often contain critical security patches to protect against such sophisticated attacks.

Tag

#sap