Meta has expanded its WhatsApp security research program by releasing the WhatsApp Research Proxy tool to select bug bounty researchers, enabling deeper analysis of WhatsApp’s proprietary network protocol. This initiative aims to lower barriers for academic and security researchers to identify vulnerabilities in WhatsApp, a widely used messaging platform with approximately 3.5 billion active users globally. Among recent security findings, Meta disclosed a medium-severity vulnerability affecting WhatsApp versions prior to v2.25.23.73 (including Business for iOS and Mac clients) that could allow an attacker to trigger processing of content fetched from arbitrary URLs on another user's device, potentially leading to remote code execution or data leakage, though no exploitation has been observed in the wild. Meta also patched a high-severity OS-level vulnerability (CVE-2025-59489, CVSS 8.4) on Quest VR devices that allowed malicious apps to manipulate Unity applications to execute arbitrary code. Furthermore, researchers demonstrated a novel scraping technique exploiting WhatsApp’s contact discovery feature to enumerate user accounts at scale, bypassing rate limits and collecting publicly accessible metadata such as profile photos, About texts, and update timestamps. This scraping exposed millions of accounts even in countries where WhatsApp is banned, such as China and Myanmar. Meta responded by enhancing anti-scraping defenses and confirmed no evidence of malicious abuse. Prior research also revealed that delivery receipts could be exploited to infer user activity patterns, session counts, and operating systems, and to launch resource exhaustion attacks without alerting the user. Collectively, these findings highlight WhatsApp’s ongoing risk profile as a target for state-sponsored actors and commercial spyware vendors, emphasizing the need for continuous security improvements and vigilant monitoring.

For European organizations, the disclosed vulnerabilities and privacy issues pose significant risks given WhatsApp's widespread use for both personal and professional communication. The arbitrary URL content processing flaw could be exploited to deliver malicious payloads or exfiltrate sensitive data from user devices, potentially compromising confidentiality and integrity. The scraping vulnerability threatens user privacy by enabling mass collection of metadata, which could be leveraged for profiling, social engineering, or targeted attacks. The ability to infer user activity and device information via delivery receipt manipulation further endangers privacy and could facilitate surveillance or harassment. Although no active exploitation has been reported, the presence of these vulnerabilities increases the attack surface for state-sponsored and commercial spyware actors known to target European entities. Organizations relying on WhatsApp for sensitive communications may face reputational damage, regulatory scrutiny under GDPR for inadequate data protection, and operational disruptions if user devices are compromised. The patched Quest device vulnerability also underscores risks in emerging VR platforms used in enterprise contexts. Overall, these threats necessitate proactive security measures to safeguard communications and user privacy within European jurisdictions.

European organizations should implement a multi-layered mitigation strategy beyond generic advice: 1) Ensure all WhatsApp clients (mobile, desktop, business) are updated promptly to the latest versions containing relevant security patches, especially versions beyond v2.25.23.83. 2) Educate users about the risks of interacting with unsolicited links or content, emphasizing caution with messages containing URLs from unknown contacts. 3) Monitor and restrict installation of untrusted applications on devices, particularly VR platforms like Quest, to prevent exploitation of OS-level vulnerabilities. 4) Employ network-level controls and anomaly detection to identify unusual traffic patterns indicative of scraping or automated enumeration attempts targeting WhatsApp services. 5) Leverage endpoint protection solutions capable of detecting suspicious behaviors related to message delivery receipt manipulation or resource exhaustion attacks. 6) Collaborate with legal and compliance teams to ensure data privacy policies align with GDPR requirements, including minimizing exposure of user metadata. 7) Encourage participation in coordinated vulnerability disclosure programs and maintain communication with Meta’s security updates to stay informed of emerging threats and patches. 8) For organizations using WhatsApp Business API, implement strict access controls and audit logging to detect abuse or unauthorized access. 9) Consider alternative secure communication platforms for highly sensitive communications until these risks are fully mitigated. 10) Regularly review and update incident response plans to include scenarios involving messaging platform compromises and privacy breaches.