WhatsApp handles billions of messages every day, and attackers keep finding new ways to compromise accounts or track users. Meta knows this pressure is only getting stronger.
So the company is expanding its security research efforts by introducing a new research proxy, supporting academic teams, tightening anti-scraping protections, and offering more than $4 million in payouts this year alone.

If you’ve been following WhatsApp-related threats, you may already know how common phishing, session hijacking, and device-level attacks are. I covered some of these patterns earlier in How Hackers Use WhatsApp Web and How to Catch Them Early and the value of securing your account in WhatsApp Two-Step Verification: Complete Setup and Best Practices.
Meta’s latest update shows how the company is trying to stay ahead of these threats by bringing more researchers into the process.

TL;DR

Meta is opening WhatsApp security to more researchers through a new protocol research proxy, academic partnerships, and over $4 million in bug bounty rewards this year. The company also patched recent flaws, strengthened anti-scraping defenses, and introduced new protections to stop global-scale enumeration attacks. These changes aim to improve user safety as threats from spyware groups, APTs, and phishing operations continue to rise.

AI Summary

• WhatsApp’s new Research Proxy lets approved researchers study internal protocol behavior.
• Meta is adding academic teams to long-term security research.
• Over $4 million awarded in bounties this year, with nearly 800 valid reports.
• Recent vulnerabilities patched, including a high-severity RCE issue.
• Stricter rate limits to block attempts to enumerate billions of phone numbers.
• Meta is expanding collaboration to improve WhatsApp’s long-term security posture.

WhatsApp Research Proxy: a new tool for deeper analysis

Meta introduced the WhatsApp Research Proxy, a tool that gives vetted researchers controlled insight into WhatsApp’s protocol behavior.
The proxy allows them to observe:

• message routing
• serialization and parsing logic
• retry and delivery handling
• connection and network behaviors
• error-handling patterns

This is the kind of access that’s usually not available in mainstream messaging apps. By offering it through a controlled environment, Meta hopes researchers can uncover deeper issues before attackers do.

Meta opens a new path for academics

Meta launched a pilot program for academic researchers, allowing universities and research labs to study WhatsApp’s security at a deeper level.

These teams will get:

• internal guidance
• documentation and insights
• support for long-term research projects
• help from Meta’s engineers
• access to tools needed to study metadata risks, scraping behavior, and protocol weaknesses

This approach encourages more research focused on long-term abuse patterns, not just one-time bug submissions.

Bug bounty numbers hit new highs

Meta shared updated payout numbers this year, and they show how active and competitive WhatsApp security research has become. The bug bounty program has been running for years, but 2025 marks one of its busiest periods.

So far, Meta has paid:

• over $25 million since the program began
• 1,400+ researchers from 88 countries
• nearly 800 valid reports accepted this year
• more than $4 million awarded in 2025 alone

These numbers show two things. First, the volume of valid findings is growing, which means more researchers are digging into WhatsApp’s systems. Second, the rewards are rising because Meta sees WhatsApp as a high-value target that needs deeper, continuous scrutiny.

Many of the accepted reports involve areas that attackers usually focus on, including:

• how WhatsApp’s web sessions behave
• how metadata is processed
• how the app handles malformed or manipulated network traffic
• ways attackers try to break end-to-end encryption indirectly
• device-level exploitation techniques
• loopholes that allow scraping or automated abuse

A growing community of researchers also means new perspectives. Some look at WhatsApp through a network lens, some look at protocol behavior, and others focus on device-side vulnerabilities. Meta rewards all of these angles because they help expose weaknesses before real attackers find them.

This year’s payout spike shows how much effort security teams and independent researchers are putting into WhatsApp. It also explains why Meta is opening up new research pathways, since the volume and complexity of submissions continue to rise every year.

Recent vulnerabilities patched by Meta

Meta disclosed details of two recent vulnerabilities it fixed.

Vulnerability 1: Arbitrary URL Content Retrieval

A flaw allowed a WhatsApp client to fetch content from an attacker-controlled URL.

Affected versions:

• Android before 2.25.23.73
• iOS Business before 2.25.23.82
• Mac before 2.25.23.83
  Meta says there is no evidence of active exploitation.

Vulnerability 2: High-Severity Quest Device RCE

This bug is tracked as CVE-2025-59489 with a CVSS score of 8.4.
It affected Unity-based apps on Meta Quest devices and could allow remote code execution.

Both issues have been patched.

Large-scale enumeration risks and stronger anti-scraping protections

One of the biggest concerns highlighted in recent research is how attackers can misuse WhatsApp’s contact discovery feature to check whether a phone number is registered on the platform.
This is not a new problem in the industry, but WhatsApp’s massive user base makes it more serious. When attackers automate this process, they can run millions of checks in a short span of time. At global scale, this means they can potentially verify up to 3.5 billion numbers and build huge lists of active WhatsApp accounts.

Attackers use this information in many ways. Some use it to target people with phishing links. Others use it to launch social engineering attempts, impersonate businesses, or match numbers with leaked databases. Fraud groups often rely on these lists to run spam campaigns or to identify high-value targets in specific regions.

Meta has now added stronger protections to slow down or block this kind of behavior. These updates include:

• Stricter rate limits to prevent rapid, automated checking of phone numbers.
• API-level throttling, so systems slow down or stop repeated requests from suspicious sources.
• Improved server-side validation, which filters out abnormal or abusive patterns.
• Better scraping detection, using new signals that flag large-scale or unusual activity.
• Continuous behavior monitoring, so Meta can respond faster when attackers change their methods.

Together, these protections make it much harder for attackers to gather large sets of WhatsApp numbers. It doesn’t eliminate the threat completely, but it raises the cost and limits how much data they can collect.

For regular users, this means fewer unwanted messages, fewer targeted scams, and less exposure to fraud campaigns that often begin with simple number harvesting.

Why Meta is expanding WhatsApp security research

WhatsApp is a major target for a wide range of attackers, and each group has a different motive. Spyware vendors look for vulnerabilities that let them slip into devices silently. APT groups, often backed by governments, try to monitor people of interest or gain long-term access to sensitive conversations. Phishing operators focus on stealing verification codes or tricking people into giving up their accounts. 

 There are also data-gathering bots that scrape information in bulk, malware that tries to infect phones through attachments or malicious links, and fraud networks that look for loopholes to hijack accounts and impersonate users.

All of this makes WhatsApp one of the most frequently targeted apps in the world. The attacks keep changing, and the people behind them keep getting smarter. This is why Meta believes that opening up more research tools is the only practical way to stay ahead. When more researchers can study WhatsApp’s internal behavior, it leads to more eyes on the problem, more testing, and a wider range of ideas.

Better collaboration means vulnerabilities are found earlier, fixed faster, and understood more deeply. Meta wants researchers, academics, and security experts to work together instead of relying only on internal teams. It’s a way to strengthen WhatsApp in the long run and build a security system that keeps improving as new threats appear.

What this means for everyday users

Most people won’t notice these changes happening behind the scenes, but they make a real difference. WhatsApp’s security depends on how fast vulnerabilities are found and fixed, and Meta’s new efforts directly improve that. More researchers studying the app means threats are spotted earlier, patches are released quicker, and attackers get fewer chances to exploit gaps.

Here’s what these updates translate to for a regular user:

• Faster bug fixes, since more qualified researchers are now looking at WhatsApp’s internal systems.
• Fewer spyware risks, especially from sophisticated groups that target phones through hidden vulnerabilities.
• Stronger account protections, which help block phishing attempts, session hijacks, and unauthorized access.
• Reduced number enumeration, so attackers can’t easily check whether your number is linked to WhatsApp.
• Safer updates, with more thorough testing before new features or patches roll out.
• Better long-term privacy, because protocol-level research helps protect the parts of WhatsApp you don’t see but rely on every day.

And while Meta improves the platform from the inside, there are simple steps you can take right now to strengthen your own account.

Start with these guides:

• WhatsApp Two-Step Verification: Complete Setup and Best Practices
• How Hackers Use WhatsApp Web and How to Catch Them Early
  

Both articles cover the most common real-world WhatsApp attacks and give you practical ways to stay safe. Together, platform improvements and user awareness create the strongest layer of protection.

To sum up

Meta’s update shows a clear shift toward a more open and collaborative approach to WhatsApp security. The company knows attackers move fast, and the only way to stay ahead is to bring more researchers into the fold. The new proxy tool, the academic program, and the increased bounty rewards all point to one thing, WhatsApp’s security can’t depend on closed doors anymore.

For everyday users, these efforts mean quieter improvements, fewer hidden risks, and stronger protection in the background. And while Meta works on the larger system, simple steps like turning on two-step verification and staying alert to common scams still make the biggest difference. It’s a mix of platform-level defense and user awareness that keeps accounts safe.

If this pace of research continues, WhatsApp will likely become harder for attackers to exploit and easier for users to trust.

FAQs

How does the WhatsApp Research Proxy help researchers?

It offers controlled access to WhatsApp’s protocol behavior, including message flows, parsing logic, and network-level decisions.

Why is Meta including academic researchers now?

Academics often study deeper, large-scale problems like scraping behavior and metadata risks. Meta wants these insights to strengthen WhatsApp’s security.

What vulnerabilities were fixed recently?

Meta patched an arbitrary URL content retrieval flaw in older WhatsApp versions and a high-severity remote code execution issue affecting Unity-based apps on Quest devices.

How serious is phone-number enumeration?

Attackers can theoretically check billions of numbers to see who uses WhatsApp. Meta’s new protections aim to stop these large-scale scraping attacks.

What does this mean for WhatsApp users?

Users get better protection, faster patches, and reduced exposure to sophisticated attacks. Enabling two-step verification adds another layer of safety.