WhatsApp launches extension that alerts user if web version is hacked – Antivirus and Security – Tecnoblog

Good news for those who use the whatsapp web: this week, the Meta (service owner) announced the Code Verify, extension for Chrome, Edge and Firefox that checks if the browser version of the messenger has been tampered with. This is a way to prevent spying, for example. The most unusual part is this: the protection was developed in partnership with the Cloudflare.

Code Verify for Edge (Image: Playback/Meta)

Meta itself (formerly Facebook) admits that WhatsApp Web does not have the same security controls that exist in the Android and iOS versions of the service.

According to the company, app stores review and approve each published application or software update released, which significantly reduces the risk of these tools being tampered with.

Compared to a mobile platform, a browser is a much less controlled environment. In it, it is more difficult to ensure that an extension, for example, will not modify the functioning of WhatsApp Web (or any other web service).

Cloudflare enters the scene

Cloudflare claims it was approached by Meta to raise the level of protection for WhatsApp Web. The reason? Cloudflare itself explains:

With the use of WhatsApp in the browser increasing and the growing number of users at risk — including journalists, activists and human rights defenders — WhatsApp wanted to take steps to provide reassurance to browser-based users.

It is difficult to ensure that the WhatsApp Web source code will not be tampered with for malicious purposes when loaded in the browser; on the other hand, a check can be implemented to alert the user that something there is not right. This is precisely the approach of Code Verify.

How does CodeVerify work?

Basically, Code Verify does a comparison of hashes (strings generated from mathematical calculations).

It works like this: when the user opens WhatsApp Web, Code Verify checks the hash of the source code loaded in the browser and compares it with the hash stored on Cloudflare’s servers; if the hashes are the same, everything is fine; if they are different, some tampering has happened (any code modification, however small, will generate a different hash).

Intuitively, Code Verify generates three types of warnings: “validated”, “possible risk detected”, and “validation failed”. Obviously, the last two indicate that something is wrong.

The problem can be caused by an extension that, by mistake, altered the functioning of the page or, in fact, evidence of some danger, such as the action of malware that captures user data. That’s why, in case of alert by Code Verify, it is recommended not to use WhatsApp Web until the problem is verified.

This method will work even if WhatsApp Web is updated. That’s because when you publish the latest version of your JavaScript libraries on your servers, WhatsApp will also place the corresponding hash in the endpoint of Cloudflare’s Audit. This is important because WhatsApp Web always looks for the latest libraries.

Code Verify warnings (image: disclosure/Meta)
Code Verify warnings (image: disclosure/Meta)

Code Verify: instale já

Comparing hashes is not a new solution. This type of mechanism has been used for years by developers who want to ensure that the user is downloading legitimate software, for example. What makes Code Verify interesting is the fact that this check is done automatically.

But, as you already know, WhatsApp Web does not do it alone. Code Verify must be installed in the browser. Here are the links:

A Firefox version is promised soon.

One more detail: Code Verify has open source code.

Leave a Comment