WhatsApp Web Code Hacked

Every WhatsApp user might have known about the multi-device capability feature that was introduced as a beta programme last year. Ever since its introduction, many of the WhatsApp users were using WhatsApp directly from their web browser. An important capability of this feature is that it supports up to 4 devices.

To protect WhatsApp web users from tampered QR codes, Meta has introduced a new browser extension known as “Code Verify”. This extension verifies the authenticity of the WhatsApp web code served to the user’s browser. End-to-end encryption has been in place for a long period of time in WhatsApp in which messages are encrypted from the sender’s end and decrypted at the receiver’s end.

In case of a mobile app, the authenticity of the application is audited by any of the third-party app stores. But when it comes to browsers, there is no auditing or reviewing of the integrity. It is directly served to the user’s browser. Any third party sites might intervene in the browser’s functionality and steal confidential data or tamper the integrity. Code Verify adds an additional layer of security to WhatsApp web users.

Code Verify – How Does it Work?

Code Verify has partnered with Cloudflare to help provide transparent verification of the code. It is also left open source so that other companies might also use that code to build their own security extensions or authenticators.

Code Verify will check every resource being fetched by the browser and ensures that they are not manipulated or tampered in any way. It uses the concept of “subresource integrity” to do this. But Subresource integrity lacks in many cases since it only applies to single files. Code Verify checks the entire resource page for tampered data. Cloudflare plays a major role to enhance trust in this process.

The working structure of Code Verify can be explained in a flow chart.

Source : Meta

WhatsApp provided a cryptographic hash source of truth that is based on the WhatsApp web’s JavaScript code. When a user uses Code Verify extension, it compares the code of WhatsApp web with the code version provided by WhatsApp and with the code published on Cloudflare. If any of them doesn’t match or is found tampered, Code Verify notifies the user. This provides a real-code verification for the users. Whenever the code is updated on WhatsApp, the cryptographic source of code and the Code Verify extensions will automatically update.

Code Verify – How to Use?

Code Verify extension is available in most of the web browsers like Firefox, Chrome, Edge etc. Meta also added that this extension will not monitor or collect any data and it will not share any information with WhatsApp or Cloudflare. Code Verify will have three alert signals.

Green – Fully Validated

Yellow – Another browser extension is interfering with Code Verify

Red – Validation Failure due to security issues.

Source : Meta


Meta has decided to put the code in Github so that the open-source community can share their ideas to help improve the feature. 
Meta posted that, “We believe that with Code Verify, we are charting new territory with automatic third-party code verification, particularly at this scale. We hope that more services use the open source version of Code Verify and make third-party verified web code the new norm. And in doing so, we hope this helps bring additional security protections to people all over the world and move the entire industry forward. “

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.