WhatsApp Chat Data Stored Unencrypted in Meta’s Shared App Containers on macOS and iOS
Security researchers at Mysk have uncovered a potential privacy risk in how WhatsApp stores user chat data on macOS and iOS, revealing that message databases may be kept in unencrypted plaintext within shared app group containers. These containers, used by Meta-owned applications (including Facebook, Instagram, and WhatsApp), allow data sharing between apps signed by the same developer under the identifier “group.com.facebook.family.”
The issue stems from WhatsApp’s storage architecture, where chat histories are saved without encryption at rest. This means:
- Other Meta apps on the same device could theoretically access WhatsApp data without explicit user consent.
- No notification mechanism exists to alert users of such access.
- The vulnerability affects both macOS and iOS, with researchers demonstrating that unencrypted chat data can also be extracted from iPhone backups.
The risk is further amplified by a macOS vulnerability (CVE-2026-28910), which allows attackers to bypass Apple’s App Sandbox protections. Exploiting this flaw could enable:
- Access to protected app containers, including those for WhatsApp, Messages, and Safari.
- Extraction of sensitive data while circumventing Transparency, Consent, and Control (TCC) safeguards.
- A proof-of-concept attack combining this exploit with WhatsApp’s storage behavior to retrieve chat histories.
While some experts, such as WABetaInfo, argue that the data remains within Apple’s sandboxed environment requiring either system-level privileges or OS exploits to access Mysk contends that Meta’s shared app group entitlements weaken isolation boundaries, enabling internal data sharing without user awareness.
The findings underscore broader concerns about data-at-rest security in mobile ecosystems:
- End-to-end encryption protects messages in transit but does not secure local storage.
- Shared app containers increase the attack surface when combined with OS-level vulnerabilities.
- Backup extraction remains a viable method for accessing sensitive data if not encrypted.
No widespread exploitation has been reported, but the research highlights the need for stronger local encryption in tightly integrated app ecosystems like Meta’s.
Source: https://gbhackers.com/whatsapp-chat-histories-exposed/
WhatsApp TPRM report: https://www.rankiteo.com/company/whatsapp.
"id": "wha1779711949",
"linkid": "whatsapp.",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Potentially all WhatsApp users '
'on macOS and iOS',
'industry': 'Technology/Social Media',
'location': 'Global',
'name': 'WhatsApp (Meta)',
'size': 'Large (Meta-owned)',
'type': 'Messaging Application'}],
'attack_vector': 'Local Storage Vulnerability',
'data_breach': {'data_encryption': 'No encryption at rest',
'data_exfiltration': 'Possible via macOS sandbox bypass or '
'iPhone backups',
'file_types_exposed': 'Message databases (plaintext)',
'personally_identifiable_information': 'Potentially (depends '
'on chat content)',
'sensitivity_of_data': 'High (private conversations)',
'type_of_data_compromised': 'Chat histories, potentially '
'including personally '
'identifiable information (PII)'},
'description': 'Security researchers at Mysk have uncovered a potential '
'privacy risk in how WhatsApp stores user chat data on macOS '
'and iOS, revealing that message databases may be kept in '
'unencrypted plaintext within shared app group containers. '
'These containers, used by Meta-owned applications (including '
'Facebook, Instagram, and WhatsApp), allow data sharing '
'between apps signed by the same developer under the '
"identifier 'group.com.facebook.family.' The issue stems from "
'WhatsApp’s storage architecture, where chat histories are '
'saved without encryption at rest, enabling other Meta apps on '
'the same device to theoretically access WhatsApp data without '
'explicit user consent. The vulnerability affects both macOS '
'and iOS, with researchers demonstrating that unencrypted chat '
'data can also be extracted from iPhone backups. The risk is '
'further amplified by a macOS vulnerability (CVE-2026-28910), '
'which allows attackers to bypass Apple’s App Sandbox '
'protections, enabling access to protected app containers and '
'extraction of sensitive data while circumventing '
'Transparency, Consent, and Control (TCC) safeguards.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'privacy concerns',
'data_compromised': 'WhatsApp chat histories',
'identity_theft_risk': 'High (if PII is exposed)',
'legal_liabilities': 'Potential regulatory violations (e.g., GDPR, '
'CCPA)',
'systems_affected': 'macOS, iOS'},
'investigation_status': 'Research disclosed, no confirmed exploitation',
'lessons_learned': 'End-to-end encryption in transit does not secure local '
'storage; shared app containers increase attack surface; '
'backup extraction remains a viable method for accessing '
'sensitive data if not encrypted.',
'post_incident_analysis': {'corrective_actions': 'Encrypt data at rest; '
'restrict shared app '
'container access; patch '
'macOS sandbox '
'vulnerability; implement '
'user notifications for data '
'access by other apps.',
'root_causes': 'Unencrypted data storage in shared '
'app containers; macOS sandbox '
'bypass vulnerability '
'(CVE-2026-28910); lack of user '
'notification for cross-app data '
'access.'},
'recommendations': 'Implement encryption at rest for WhatsApp chat data; '
'review shared app container permissions; enhance sandbox '
'protections; notify users of data access by other Meta '
'apps; conduct security audits of local storage practices.',
'references': [{'source': 'Mysk'}, {'source': 'WABetaInfo'}],
'regulatory_compliance': {'regulations_violated': 'Potential violations of '
'GDPR, CCPA, or other data '
'protection laws'},
'title': 'WhatsApp Chat Data Stored Unencrypted in Meta’s Shared App '
'Containers on macOS and iOS',
'type': 'Data Exposure',
'vulnerability_exploited': 'Unencrypted data at rest in shared app '
'containers, macOS sandbox bypass (CVE-2026-28910)'}