Meta announced Tuesday that it has provided a tool called WhatsApp Research Proxy to some researchers who have long offered bug bounties to help them improve their programs and more effectively investigate the messaging platform’s network protocols.
The aim is to make it easier to explore WhatsApp’s unique technology, as it remains a lucrative attack surface for state-sponsored attackers and commercial spyware vendors.
The company also noted that it is launching a pilot initiative to invite a research team to focus on exploiting the platform, with support from in-house engineering and tools. “Our goal is to lower the barrier for academics and other researchers who are less familiar with bug bounties to participate in our program,” he added.
The development comes after the social media giant announced that it has awarded more than $25 million in bug bounties to more than 1,400 researchers in 88 countries over the past 15 years, with more than $4 million paid out this year alone for around 800 valid reports. According to Meta, a total of about 13,000 applications were received.
Some of the notable bug findings include an incomplete validation bug in WhatsApp before WhatsApp v2.25.23.73, WhatsApp Business for iOS v2.25.23.82, and WhatsApp for Mac v2.25.23.83 that could allow a user to trigger processing of content retrieved from any URL on another user’s device. There is no evidence that this issue has been exploited in the wild.
Meta has also released an operating system level patch to mitigate the risk posed by the vulnerability tracked as CVE-2025-59489 (CVSS score: 8.4). This vulnerability could allow a malicious application installed on a Quest device to manipulate Unity applications and execute arbitrary code. Flatt Security researcher RyotaK is credited with discovering and reporting this flaw.
3.5 billion phone numbers exposed due to simple security flaw in WhatsApp
Finally, Meta said it has added anti-scraping protection to WhatsApp following a report detailing a new way to massively enumerate WhatsApp accounts from 245 countries and bypass the service’s rate-limiting restrictions to build a dataset that includes all users. WhatsApp has around 3.5 billion active users.
This attack takes advantage of the legitimate WhatsApp contact discovery feature, which requires users to first check if their contacts are registered on the platform. This essentially allows the attacker to edit basic publicly accessible information, along with the profile picture, About text, and timestamps associated with key updates related to the two attributes. Meta said it found no evidence that this vector was used in a malicious situation.
Interestingly, the study found that millions of phone numbers are registered with WhatsApp in countries where WhatsApp is officially banned, including 2.3 million in China and 1.6 million in Myanmar.
“Normally a system should not respond to so many requests in such a short period of time, especially if they are coming from a single source,” said Gabriel Gegenhuber, a researcher at the University of Vienna and lead author of the study. “This behavior exposed a fundamental flaw that allowed it to issue virtually unlimited requests to the server, and in doing so, map user data around the world.”
“We are already working on industry-leading anti-scraping systems, and this research helped us stress test and confirm the immediate effectiveness of these new defenses,” Nitin Gupta, WhatsApp’s vice president of engineering, told Hacker News in a statement.
“Importantly, the researchers securely deleted the data they collected as part of their research, and we have found no evidence that malicious actors are exploiting this vector. As a reminder, thanks to WhatsApp’s default end-to-end encryption, users’ messages remain private and secure, and the researchers were unable to access any non-public data.”
Earlier this year, Gegenhuber and colleagues also demonstrated another study titled Careless Whisper, which showed how delivery receipts can pose significant privacy risks to users, allowing attackers to send specially crafted messages that can trigger delivery receipts and extract their activity status without the user’s knowledge or consent.
“By using this technique at high frequency, we demonstrated how attackers can extract personal information, including tracking users across different companion devices, inferring users’ daily schedules, and inferring their current activities,” the researchers said.
“Furthermore, it is possible to infer the number of currently active user sessions (main and companion devices) and their operating systems, and launch resource exhaustion attacks such as draining the user’s battery or data capacity, without generating notifications on the target side.”
(Article updated after publication to include a response from WhatsApp and clarify that CVE-2025-59489 was patched and published by Unity.)
Source link
