Meta Enhances WhatsApp Security with New Research Tools and $4 Million in Bug Bounties
In a significant move to bolster the security of its widely-used messaging platform, Meta has introduced the WhatsApp Research Proxy tool. This initiative aims to empower seasoned bug bounty researchers by providing them with deeper insights into WhatsApp’s network protocols, thereby facilitating more effective identification and resolution of potential vulnerabilities.
Introduction of WhatsApp Research Proxy
The WhatsApp Research Proxy is designed to simplify the exploration of WhatsApp-specific technologies. As the platform remains a prime target for state-sponsored actors and commercial spyware vendors, this tool is expected to play a pivotal role in enhancing its security framework.
Pilot Initiative for Platform Abuse Research
Beyond the Research Proxy, Meta is launching a pilot program that invites research teams to delve into platform abuse. This initiative offers support through internal engineering resources and specialized tools. Meta’s objective is to make its bug bounty program more accessible, especially to academics and researchers who may not have prior experience in this domain.
Bug Bounty Program Achievements
Over the past 15 years, Meta has awarded over $25 million in bug bounties to more than 1,400 researchers from 88 countries. Notably, in the current year alone, the company disbursed over $4 million for nearly 800 valid reports, out of approximately 13,000 submissions. This underscores Meta’s commitment to collaborating with the global security research community to fortify its platforms.
Noteworthy Vulnerability Discoveries
Among the significant vulnerabilities identified was an incomplete validation issue in various versions of WhatsApp, including:
– WhatsApp prior to v2.25.23.73
– WhatsApp Business for iOS v2.25.23.82
– WhatsApp for Mac v2.25.23.83
This flaw could have allowed users to trigger the processing of content from arbitrary URLs on another user’s device. Fortunately, there is no evidence suggesting that this vulnerability was exploited in real-world scenarios.
Another critical vulnerability, tracked as CVE-2025-59489 with a CVSS score of 8.4, was addressed by Meta. This flaw could have enabled malicious applications on Quest devices to manipulate Unity applications, leading to arbitrary code execution. The discovery and reporting of this issue are credited to Flatt Security researcher RyotaK.
Addressing Large-Scale Data Scraping
Meta has also implemented anti-scraping measures in response to a report that unveiled a method to enumerate WhatsApp accounts across 245 countries. This technique could potentially compile a dataset encompassing every user, effectively bypassing the platform’s rate-limiting restrictions. Given WhatsApp’s user base of approximately 3.5 billion active users, such vulnerabilities pose significant privacy concerns.
The attack exploited WhatsApp’s contact discovery feature, which allows users to determine if their contacts are registered on the platform. This feature could be manipulated to gather publicly accessible information, including profile photos, About texts, and timestamps of key updates. Meta has stated that there is no evidence indicating malicious exploitation of this vector.
Interestingly, the study revealed millions of phone numbers registered to WhatsApp in countries where the service is officially banned, including 2.3 million in China and 1.6 million in Myanmar. Gabriel Gegenhuber, a researcher from the University of Vienna and lead author of the study, highlighted the system’s unexpected behavior in responding to a high volume of requests from a single source, which exposed the underlying flaw.
Meta’s Proactive Measures
In response to these findings, Meta has been proactive in enhancing its anti-scraping systems. Nitin Gupta, vice president of engineering at WhatsApp, emphasized that the study was instrumental in testing and confirming the effectiveness of these new defenses.
Conclusion
Meta’s recent initiatives, including the introduction of the WhatsApp Research Proxy and the substantial investment in bug bounties, underscore the company’s dedication to maintaining the security and privacy of its users. By fostering collaboration with the global research community and implementing robust protective measures, Meta aims to stay ahead of potential threats and ensure a secure messaging environment for all.
