Nov 18, 2025Ravie LakshmananBug Bounty / Knowledge Privateness
Meta on Tuesday mentioned it has made accessible a instrument referred to as WhatsApp Analysis Proxy to a few of its long-time bug bounty researchers to assist enhance this system and extra successfully analysis the messaging platform’s community protocol.
The thought is to make it simpler to delve into WhatsApp-specific applied sciences as the applying continues to be a profitable assault floor for state-sponsored actors and business adware distributors.
The corporate additionally famous that it is establishing a pilot initiative the place it is inviting analysis groups to deal with platform abuse with help for inside engineering and tooling. “Our aim is to decrease the barrier of entry for lecturers and different researchers who won’t be as acquainted with bug bounties to hitch our program,” it added.
The event comes because the social media big mentioned it has awarded greater than $25 million in bug bounties to over 1,400 researchers from 88 nations within the final 15 years, out of which greater than $4 million had been paid out this 12 months alone for nearly 800 legitimate stories. In all, Meta mentioned it acquired round 13,000 submissions.
A few of the notable bug discoveries included an incomplete validation bug in WhatsApp previous to v2.25.23.73, WhatsApp Enterprise for iOS v2.25.23.82, and WhatsApp for Mac v2.25.23.83 that might have enabled a person to set off processing of content material retrieved from an arbitrary URL on one other person’s machine. There isn’t a proof that the problem was exploited within the wild.
Additionally patched by Meta is a vulnerability tracked as CVE-2025-59489 (CVSS rating: 8.4) that might have allowed malicious functions put in on Quest units to govern Unity functions to attain arbitrary code execution. Flatt Safety researcher RyotaK has been acknowledged for locating and reporting the flaw.
Easy WhatsApp Safety Flaw Exposes 3.5 Billion Cellphone Numbers
Lastly, Meta mentioned it added anti-scraping protections to WhatsApp following a report that detailed a novel methodology to enumerate WhatsApp accounts at scale throughout 245 nations and construct a dataset containing each person, bypassing the service’s rate-limiting restrictions. WhatsApp has about 3.5 billion energetic customers.
The assault takes benefit of a legit WhatsApp contact discovery characteristic that requires customers to first decide whether or not their contacts are registered on the platform. It primarily permits an attacker to compile primary publicly accessible data, together with their profile images, About textual content, and timestamps related to key updates associated to the 2 attributes. Meta mentioned it discovered no indications that this vector was ever abused in a malicious context.
Curiously, the examine discovered tens of millions of telephone numbers registered to WhatsApp in nations the place it is formally banned, together with 2.3 million in China and 1.6 million in Myanmar.
“Usually, a system should not reply to such a excessive variety of requests in such a short while – significantly when originating from a single supply,” Gabriel Gegenhuber, College of Vienna researcher and lead creator of the examine, mentioned. “This conduct uncovered the underlying flaw, which allowed us to concern an successfully limitless requests to the server and, in doing so, map person information worldwide.”
Earlier this 12 months, Gegenhuber et al additionally demonstrated one other analysis titled Careless Whisper that confirmed how supply receipts can pose vital privateness dangers to customers, thereby permitting an attacker to ship particularly crafted messages that may set off supply receipts with out their data or consent and extract their exercise standing.
“By utilizing this system at excessive frequency, we reveal how an attacker might extract personal data, resembling following a person throughout totally different companion units, inferring their each day schedule, or deducing present actions,” the researchers famous.
“Furthermore, we are able to infer the variety of at present energetic person periods (i.e., foremost and companion units) and their working system, in addition to launch useful resource exhaustion assaults, resembling draining a person’s battery or information allowance, all with out producing any notification on the goal facet.”
