Meta on Tuesday said it has made available a tool called WhatsApp Research Proxy to some of its long-time bug bounty researchers to help improve the program and more effectively research the messaging platform’s network protocol.
The idea is to make it easier to delve into WhatsApp-specific technologies as the application continues to be a lucrative attack surface for state-sponsored actors and commercial spyware vendors.
The company also noted that it’s setting up a pilot initiative where it’s inviting research teams to focus on platform abuse with support for internal engineering and tooling. “Our goal is to lower the barrier of entry for academics and other researchers who might not be as familiar with bug bounties to join our program,” it added.
The development comes as the social media giant said it has awarded more than $25 million in bug bounties to over 1,400 researchers from 88 countries in the last 15 years, out of which more than $4 million were paid out this year alone for almost 800 valid reports. In all, Meta said it received around 13,000 submissions.
Some of the notable bug discoveries included an incomplete validation bug in WhatsApp prior to v2.25.23.73, WhatsApp Business for iOS v2.25.23.82, and WhatsApp for Mac v2.25.23.83 that could have enabled a user to trigger processing of content retrieved from an arbitrary URL on another user’s device. There is no evidence that the issue was exploited in the wild.
Meta also released an operating system-level patch to mitigate the risk posed by a vulnerability tracked as CVE-2025-59489 (CVSS score: 8.4) that could have allowed malicious applications installed on Quest devices to manipulate Unity applications to achieve arbitrary code execution. Flatt Security researcher RyotaK has been acknowledged for discovering and reporting the flaw.
Simple WhatsApp Security Flaw Exposes 3.5 Billion Phone Numbers
Lastly, Meta said it added anti-scraping protections to WhatsApp following a report that detailed a novel method to enumerate WhatsApp accounts at scale across 245 countries and build a dataset containing every user, bypassing the service’s rate-limiting restrictions. WhatsApp has about 3.5 billion active users.
The attack takes advantage of a legitimate WhatsApp contact discovery feature that requires users to first determine whether their contacts are registered on the platform. It essentially allows an attacker to compile basic publicly accessible information, along with their profile photos, About text, and timestamps associated with key updates related to the two attributes. Meta said it found no indications that this vector was ever abused in a malicious context.
Interestingly, the study found millions of phone numbers registered to WhatsApp in countries where it’s officially banned, including 2.3 million in China and 1.6 million in Myanmar.
“Normally, a system shouldn’t respond to such a high number of requests in such a short time – particularly when originating from a single source,” Gabriel Gegenhuber, University of Vienna researcher and lead author of the study, said. “This behavior exposed the underlying flaw, which allowed us to issue an effectively unlimited requests to the server and, in doing so, map user data worldwide.”
“We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defenses,” Nitin Gupta, vice president of engineering at WhatsApp, told The Hacker News in a statement.
“Importantly, the researchers have securely deleted the data collected as part of the study, and we have found no evidence of malicious actors abusing this vector. As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers.”
Earlier this year, Gegenhuber et al also demonstrated another research titled Careless Whisper that showed how delivery receipts can pose significant privacy risks to users, thereby allowing an attacker to send specifically crafted messages that can trigger delivery receipts without their knowledge or consent and extract their activity status.
“By using this technique at high frequency, we demonstrate how an attacker could extract private information, such as following a user across different companion devices, inferring their daily schedule, or deducing current activities,” the researchers noted.
“Moreover, we can infer the number of currently active user sessions (i.e., main and companion devices) and their operating system, as well as launch resource exhaustion attacks, such as draining a user’s battery or data allowance, all without generating any notification on the target side.”
(The story was updated after publication to include a response from WhatsApp and make it clear that CVE-2025-59489 was patched and issued by Unity.)
