{"type":"rich","version":"1.0","provider_name":"Transistor","provider_url":"https://transistor.fm","author_name":"Daily Security Review","title":"$1 Million WhatsApp Exploit Withdrawn—Researcher Silent, Meta Calls It “Low-Risk”","html":"<iframe width=\"100%\" height=\"180\" frameborder=\"no\" scrolling=\"no\" seamless src=\"https://share.transistor.fm/e/1d69493e\"></iframe>","width":"100%","height":180,"duration":1222,"description":"The Pwn2Own Ireland 2025 hacking competition was set to feature one of its most anticipated moments — a $1 million zero-click remote code execution exploit against WhatsApp — but the demonstration never happened. Scheduled to be showcased by researcher Eugene of Team Z3, the exploit’s abrupt withdrawal stunned attendees and quickly became the most controversial event of the competition. Organized by Trend Micro’s Zero Day Initiative (ZDI), Pwn2Own had validated the exploit’s entry, fueling expectations that WhatsApp would face a serious zero-day challenge in front of a live audience. Yet when the researcher pulled out hours before the demo, official explanations shifted, and a clash of narratives began to unfold between ZDI, the researcher, and WhatsApp’s parent company, Meta.ZDI initially cited travel issues as the reason for the cancellation, later updating its statement to say the exploit was “not sufficiently prepared for public demonstration.” By evening, ZDI announced that Team Z3 had agreed to a private disclosure, promising to share details confidentially with Meta. Researcher Eugene confirmed the arrangement the following day, explaining that a signed non-disclosure agreement (NDA) prevented him from revealing more and that he wished to maintain anonymity. That silence created a vacuum—one that Meta quickly filled.In a pointed public statement, WhatsApp claimed the researcher’s submission was not viable, describing it instead as two “low-risk bugs” and expressing disappointment that the team withdrew. The language was notably firm, designed to reassure users and minimize perception of risk. Yet, to many in the cybersecurity community, this reframing directly contradicted the exploit’s prior $1 million valuation and ZDI’s validation, raising doubts about whether the exploit had been downplayed for public-relations reasons.Analysts observed that ZDI’s evolving messaging — from travel delays to incomplete preparation — suggested an effort to contain...","thumbnail_url":"https://img.transistorcdn.com/pL79_MJFeJHamQ_ztImsGmDSMdl27VMk_30TAkieujE/rs:fill:0:0:1/w:400/h:400/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS8yNzg5/ZjlhNzM5Y2M4Njli/NjkxNzgyODA2Nzhi/MDI2ZC5wbmc.webp","thumbnail_width":300,"thumbnail_height":300}