Meta announced Tuesday that it has made a new tool called WhatsApp Research Proxy available to some of its long time bug bounty researchers. The goal is to improve the program and enable more effective research into the messaging platform's complex network protocol.
The move is intended to make it easier for researchers to delve into WhatsApp's specific technologies, given that the application remains a lucrative target for state sponsored actors and commercial spyware vendors.
Program Expansion and Rewards
Meta is also setting up a pilot initiative that invites research teams to focus on platform abuse, providing support from internal engineering and specialized tools. The company stated its goal is to lower the barrier to entry for academics and other researchers who may be unfamiliar with bug bounties.
The social media giant revealed that it has awarded more than $25 million in bug bounties to over 1,400 researchers from 88 countries in the last 15 years. Over $4 million of that was paid out this year alone for almost 800 valid reports. In total, Meta received about 13,000 submissions.
Notable Vulnerabilities Discovered
Recent bug discoveries include an incomplete validation flaw in several versions of WhatsApp that could have allowed a user to trigger the processing of content retrieved from an arbitrary URL on another user's device. There is no evidence this issue was exploited in the wild.
Meta also released an operating system level patch to mitigate the risk posed by a vulnerability tracked as CVE-2025-59489. This flaw, which earned a CVSS score of 8.4, could have allowed malicious applications installed on Quest devices to manipulate Unity applications to achieve arbitrary code execution.
Anti-Scraping and Privacy
Finally, Meta confirmed it has added anti-scraping protections to WhatsApp. This action followed a report detailing a novel method to enumerate WhatsApp accounts at scale across 245 countries, allowing a dataset containing every user to be built while bypassing the service's rate limiting restrictions.
The attack exploited a legitimate contact discovery feature used to determine whether contacts are registered on the platform. This allowed an attacker to compile basic publicly accessible information, including profile photos and "About" text. WhatsApp Vice President of Engineering Nitin Gupta noted that the study helped stress test and confirm the efficacy of new anti scraping defenses and that user messages remained private and secure thanks to end-to-end encryption.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
