Security researchers at Mysk have disclosed that WhatsApp stores user chat histories in plaintext within shared app group containers on macOS and iOS, raising serious concerns about cross-app data access within Meta’s application ecosystem.
According to the findings, WhatsApp’s message database is stored without encryption at rest inside a container labeled “group.com.facebook.family” a shared space also accessible by other Meta-owned apps, including Facebook and Instagram.
WhatsApp Chats Stored Unencrypted
This architecture exists even though WhatsApp operates under a separate Apple developer account, a detail confirmed by reviewing the entitlements files for each application.
Apple’s app group container system is designed to allow data sharing between apps from the same developer. However, the shared structure among Meta applications introduces significant privacy risks:
- Chat databases are stored in plaintext with no encryption at rest
- Other Meta apps installed on the same device could theoretically access WhatsApp message data without explicit user consent
- No user notification or permission prompt exists for intra-group container access
- The vulnerability affects both macOS and iOS environments
- iPhone backups expose the same unencrypted database structure, enabling chat extraction
Researchers demonstrated the issue by successfully extracting WhatsApp chat data from iPhone backups, confirming that encryption at rest is absent across Apple’s backup pipeline as well.
The exposure is further compounded by a recently disclosed macOS sandbox vulnerability CVE-2026-28910 affecting Apple’s Archive Utility tool. This flaw enables near-unrestricted filesystem access and can bypass Apple’s App Sandbox and Transparency, Consent, and Control (TCC) protections.
When chained with WhatsApp’s unencrypted storage behavior, an attacker exploiting this flaw could potentially:
- Access protected app group containers without authorization
- Extract sensitive data from WhatsApp, Messages, Safari, and other sandboxed apps
- Circumvent TCC safeguards that normally gate access to sensitive system resources
A proof-of-concept demonstration showed how both weaknesses could be combined to retrieve WhatsApp chat histories from a compromised macOS device.
Not all security experts view the finding with equal severity. WABetaInfo acknowledged that while local WhatsApp databases may lack encryption, they remain within Apple’s sandboxed environment, which is architected to block unauthorized access under normal conditions.
From this standpoint, exploiting the container would require either system-level privileges or an OS vulnerability.
However, Mysk maintains that shared entitlements across Meta applications inherently weaken app isolation allowing Meta-controlled apps to share data internally without user awareness, regardless of OS-level sandbox protections.
Mitigation
Users and organizations can take the following steps to reduce exposure:
- Enable encrypted iTunes or Finder backups for all iOS devices
- Keep macOS and iOS fully updated to patch CVE-2026-28910 and related vulnerabilities
- Limit installations of multiple apps from the same developer ecosystem where possible
- Use device-level encryption combined with a strong alphanumeric passcode
- Periodically audit app entitlements and permissions through device settings
While no widespread active exploitation has been reported, the research reinforces a critical gap in mobile security: end-to-end encryption secures data in transit, but offers no guarantee of protection once messages are stored locally.
As tightly integrated app ecosystems like Meta’s continue to expand, securing data at rest must become an equally prioritized safeguard.
No Comment! Be the first one.