- Meta has introduced the WhatsApp Research Proxy tool to aid bug bounty researchers in analyzing WhatsApp’s network protocol.
- The company awarded over $25 million in bug bounties in 15 years, including $4 million this year for nearly 800 valid reports.
- A WhatsApp security flaw allowed mass enumeration of 3.5 billion phone numbers using the contact discovery feature, now mitigated by added anti-scraping protections.
- Additional vulnerabilities include an incomplete validation bug in WhatsApp and a code execution flaw in Unity apps on Quest devices.
- Researchers earlier demonstrated how WhatsApp delivery receipts could be exploited for privacy breaches and resource exhaustion attacks.
In November 2025, Meta rolled out the WhatsApp Research Proxy tool to selected bug bounty researchers to enhance the study of WhatsApp’s network protocol. This initiative supports in-depth analysis of the messaging platform, which remains a target for state-sponsored and commercial spyware threats. The company also launched a pilot program inviting research teams to focus on combating platform abuse with internal engineering support, aiming to encourage broader academic participation in bug bounty efforts, as stated here.
Over the past 15 years, Meta has distributed more than $25 million in bug bounty rewards to upwards of 1,400 researchers from 88 countries. In 2025 alone, the company paid over $4 million for nearly 800 confirmed security reports out of approximately 13,000 submissions. Noteworthy bugs addressed include an incomplete validation flaw in WhatsApp versions prior to v2.25.23.73 on iOS and Mac, which could have allowed users to trigger content processing from arbitrary URLs on other devices. There is no indication this issue was exploited in the wild.
Another critical fix involved a vulnerability, tracked as CVE-2025-59489 and detailed here, affecting Unity applications on Quest devices that could permit malicious apps to achieve arbitrary code execution. This flaw was reported by RyotaK of Flatt Security.
Meta additionally fortified WhatsApp against an attack reported here that exploited the contact discovery feature to scrape user data, compiling a database of all 3.5 billion active WhatsApp users worldwide. The method bypassed rate-limiting defenses, enabling enumeration of phone numbers and gathering publicly accessible information such as profile images, About sections, and update timestamps. Researchers found millions of number registrations in countries where WhatsApp is officially banned, including China and Myanmar.
According to Gabriel Gegenhuber, lead author of this study from the University of Vienna, “Normally, a system shouldn’t respond to such a high number of requests in such a short time – particularly when originating from a single source.” This vulnerability permitted unlimited server requests to map user data globally.
Earlier research by Gegenhuber and colleagues, documented here, revealed that WhatsApp delivery receipts could be exploited to extract private user activity details without consent. They demonstrated that crafted messages might trigger these receipts to track device usage, infer schedules, or launch attacks that drain battery or data without alerting the user.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
