WhatsApp extension to detect tampering with desktop web apps • The Register
WhatsApp and Cloudflare have teamed up to provide desktop users of WhatsApp’s web client with a browser extension called Code Verify that verifies the integrity of software running in their browser.
WhatsApp offers end-to-end encryption that protects users’ messages from being read by network intermediaries. But the Meta-owned company would like to add more security to his web clientbecause web security differs from native app security and WhatsApp is increasingly used on the web.
code verification, according to Richard Hansen, software engineer at Meta, and Vincente Silveira, product manager for WhatsApp, rely on a browser security feature called subsource integrity which allows browsers to check if recovered files have been modified.
“Cloudflare has a hash of the code that WhatsApp users should run,” Product Manager Matt Silverlock, Chief Innovation Officer James Allworth and Security Technologist Mari Galicer said in a statement. blog post.
“When users run WhatsApp in their browser, the WhatsApp Code Verify extension compares a hash of that code running in their browser with Cloudflare’s hash, allowing them to easily see if the code running is the code which should be .”
The WhatsApp Integrity Checker extension could make users of WhatsApp and other services that implement Code Verity less inclined to install extensions that modify social media functions and pose potential security issues by triggering alerts. It may also discourage the use of content blocking and privacy extensions. The register tested Code Verify with uBlock Origin and Privacy Badger active, among other extensions, and Code Verify presented an orange badge with the following warning:
Failed to validate the page due to another browser extension. Consider pausing other extensions and trying again.
This scenario is covered in a support page for code verification. This suggests the need for an additional extension to bulk disable and re-enable all other installed extensions, just to ensure that Code Verify can perform its code verification without interference.
Perhaps aware of the reputation of Onavo, Facebook’s deprecated data-collecting VPN, Hansen and Silveira offer assurances that Code Verify has no secret program to collect user data.
“The extension does not log any data, metadata or user data, and does not share any information with WhatsApp,” they claim. “It also does not read or access any messages you send or receive. In fact, neither WhatsApp nor Meta will know if someone has downloaded the Code Verify extension. Also, the Code Verify extension does not never sends messages or chats between WhatsApp users to Cloudflare.”
Code verification has been released as open source code so any website can use it.
“We believe that with Code Verify, we are breaking new ground with automatic third-party code verification, especially at this scale,” said Hansen and Silveira. “We hope more services will use the open source version of Code Verify and make third-party verified web code the new normal.” ®