Master's research · MCS · UNSTPB · 2026

Zero-Click, Old Tricks

No click required. No user error. Just a photograph. In 2025, two vulnerabilities — a WhatsApp authorization bypass and a heap overflow in Apple's ImageIO — were chained into a remote code execution primitive and used in the wild against ~200 journalists and civil-society figures over 90 days.

See the chain → Read the paper (PDF)
~200
targeted victims
90d
in-the-wild window
2
chained CVEs
8.8
CVSS (both, high)
01 — Attack

The Chain

Walk through the delivery vector and the exploitation payload as a single animated flow. Attacker → WhatsApp sync → ImageIO parser → heap OOB write → RCE.

Explore the chain →
02 — Mechanics

The Heap Lab

From an Exploit Education textbook exercise to a 2025 production bug. The primitive is identical: overflow a buffer, rewrite an adjacent function pointer, hijack control.

Open the visualizer →
03 — Paper

The Research

IEEE-format paper, six sections, browsable online with MathJax and syntax-highlighted code. Full PDF and LaTeX source available for download.

Read the paper →
A 30-year lineage

The same primitive, again and again

1996
Smashing the Stack
Aleph One's Phrack 49 codifies stack overflow exploitation.
2013
Eternal War in Memory
Szekeres et al.: memory-corruption bugs resist every deployed mitigation.
2021
FORCEDENTRY
iMessage + CoreGraphics zero-click. Citizen Lab & Project Zero disclose.
2025
WhatsApp × ImageIO
Linked-device bypass + DNG heap OOB write. ~200 targets, 90 days.

Read the full background →