Meta has made a tool called WhatsApp Research Proxy available to select long‑time bug bounty researchers to help investigate the messaging platform’s network protocol and improve its vulnerability program. The company said it is also launching a pilot to invite research teams to focus on platform abuse with engineering and tooling support.
The work comes as Meta highlighted the scale of its bug bounty effort, saying it has awarded more than $25 million in bug bounties to over 1,400 researchers across 88 countries over the past 15 years, including more than $4 million this year for almost 800 valid reports from about 13,000 submissions.
Meta listed several specific findings that have come through its program, including an incomplete validation bug in multiple WhatsApp clients that could have allowed processing of content retrieved from an arbitrary URL on another user’s device; the company said there is no evidence the issue was exploited in the wild. It also released an operating system‑level patch to mitigate a vulnerability tracked as CVE‑2025‑59489 (CVSS 8.4) that could allow malicious applications on Quest devices to manipulate Unity applications to achieve arbitrary code execution, citing Unity’s advisory CVE‑2025‑59489 and researcher writeups posted by Flatt Security.
Following a public research report that described a method to enumerate WhatsApp accounts at scale, Meta said it has added anti‑scraping protections to the service. The research, published on GitHub, described how the contact discovery feature could be abused to compile publicly accessible profile information, photos and timestamps by issuing a high volume of requests that bypassed rate limits; Meta said it found no signs of malicious actors abusing the vector and that the researchers securely deleted the collected data.
The study’s lead author, Gabriel Gegenhuber of the University of Vienna, said the server response behaviour made it possible to issue effectively unlimited requests and map user data worldwide, and the researchers reported findings that included millions of phone numbers registered in countries where WhatsApp is officially banned, including about 2.3 million in China and 1.6 million in Myanmar. The researchers previously demonstrated a related privacy technique, titled Careless Whisper, that used delivery‑receipt mechanics to infer user activity and session details.
WhatsApp executives told reporters the new anti‑scraping measures had been stress‑tested against industry systems and that default end‑to‑end encryption prevented access to user messages; WhatsApp also said researchers deleted the data they collected.