Though many use WhatsApp’s secure app, the collaboration promises to protect Whatsapp’s “web version” users from malicious individuals or groups looking to compromise or tamper with WhatsApp’s end-to-end encryption. This is with the help of a new WhatsApp “Code Verify” extension, Cloudflare said.
Browser-based WhatsApp Users Growing in Number
WhatsApp usage is registering growth with users accessing the web version of the app, as opposed to the smartphone app. One reason for this is “the increasing number of at-risk users” such as human rights defenders, activists, journalists, and others, Cloudflare said. The other reason is that, following WhatsApp’s “multi-device capability” feature added last year, the web version of WhatsApp can be accessed more seamlessly. With the web-based version rising in popularity, “WhatsApp wanted to take steps to provide assurances to browser-based users,” Cloudflare said. The messaging giant approached Cloudflare to “raise the bar” in defending against malicious third parties looking to compromise users. Threat actors can do this by tampering “with the code responsible for end-to-end encryption of messages between WhatsApp users,” Cloudflare added.
New Extension Will Assure Web-based Users
Most of the estimated 2 billion WhatsApp users worldwide are smartphone users, with the majority of downloads coming from the Google Play Store (Android), followed by Apple’s App Store. Both app stores have a strict app verification process, but the web version that much fewer people use was not as secure, leaving the door open to phishing scams and other security risks. As such, the question for the remaining web-based users is: “How do you know the code your web browser downloads when visiting a website is the code the website intended you to run?” The answer to this is a new extension called “WhatsApp Code Verify,” published by Meta Open Source, that compares code hashes executed in a browser with Cloudflare’s hash. This enables users to verify whether a legitimate code is being executed. The idea of comparing hashes to detect suspicious activity or corrupted files itself is not new, however, automating this process and deploying it on a massive scale is very beneficial to vast platforms like WhatsApp, Cloudflare added. The approach also has parallels to some existing scalable browser validation and auditable transparency-oriented technologies such as Subresource Integrity, Certificate Transparency, and Binary Transparency, Cloudflare said. Cloudflare emphasized that it will not have access to users’ messages, chats, or other traffic — those will remain private and end-to-end encrypted.
How Code Verify Works
To break the process down, Cloudflare has published steps that describe how WhatsApp Code Verify functions. Here’s their step-by-step breakdown of the process:
If hashes match, the code will be “verified” and the user will see a green checkmark via the extension. If not, the user will see a “Possible Risk Detected” or “Validation Failure” window which would indicate that “the code running on the user’s browser is different from the code WhatsApp intended to run on all its user’s browsers,” Cloudflare noted.
This is Just the Beginning
The new extension is now available for download on Microsoft’s Edge and Google’s Chrome browsers, and it is highly recommended that users start using it. A Firefox browser version is in the works, as is a Safari version for macOS according to WhatsApp’s parent company Meta. This new collaborative effort is “just the beginning of the work we’re doing to help improve privacy and security on the web,” Cloudflare wrote. Cloudflare is also going to continue helping other organizations with secure and assured code verification processes that will better protect users verify the code they’re meant to be running, Cloudflare added. “Protecting Internet users at scale and enabling privacy are core tenets of what we do at Cloudflare, and we look forward to continuing this work throughout 2022.” While you grab the new “Code Verify” extension for your browser, you can get yourself up to speed on our expert WhatsApp security tips with our full guide on WhatsApp scams.