WhatsApp has added an additional layer of security to WhatsApp Web with a tool called Code Verify.
Code Verify is an open-source web browser extension that automatically verifies the authenticity of the WhatsApp Web code being served to a user’s browser. The Code Verify extension is offered by Meta Open Source and will be available on the official browser extension stores for Google Chrome, Microsoft Edge, and Mozilla Firefox.
“Since WhatsApp introduced multi-device capability last year, we’ve seen an increase in people accessing WhatsApp directly through their web browser via WhatsApp Web. With this shift in mind, we’ve been looking at ways to add additional layers of security to the WhatsApp Web experience,” WhatsApp said in a statement.
Code Verify confirms that the WhatsApp Web code hasn’t been tampered with or altered and that the WhatsApp Web experience that a user is getting is the same as everyone else’s.
“Code Verify would warn you if WhatsApp were serving a compromised version of WhatsApp just for you. While we have never done this, true security means you shouldn’t have to trust us. Especially if you are someone who might be targeted by a hacker or overreaching government,” explained WhatsApp head, Will Cathcart, in a tweet.
“Code Verify will also warn you if you have a browser extension installed that is modifying your WhatsApp Web experience, which could be malicious. We recommend at-risk and security-conscious users like journalists and those in civil society add this to their security toolkit,” Cathcart added.
How it works
As WhatsApp explained in the post, in contrast to a downloadable mobile app, a web app is usually served directly to users, without a third party reviewing and auditing the code.
“There are many factors that could weaken the security of a web browser that don’t exist in the mobile app space, such as browser extensions. Additionally, because the mobile app space was built after the web was created, the security guarantees offered on mobile can be stronger, particularly given that third-party app stores review and approve each app and software update,” it added.
“Code Verify expands on the concept of subresource integrity, a security feature that lets web browsers verify that the resources they fetch haven’t been manipulated,” it further explained.
Subresource integrity applies only to single files, but Code Verify checks the resources on the entire webpage. It has partnered with Cloudflare, a web infrastructure and security company, to provide independent, third-party, transparent verification of the code and carry out this verification process at scale.
“We’ve given Cloudflare a cryptographic hash source of truth for WhatsApp Web’s JavaScript code. When someone uses Code Verify, the extension automatically compares the code that runs on WhatsApp Web against the version of the code verified by WhatsApp and published on Cloudflare. If there are any inconsistencies, Code Verify will notify the user,” it explained.
WhatsApp’s security protections, the Code Verify extension, and Cloudflare all work together to provide real-time code verification. Whenever the code for WhatsApp Web is updated, the cryptographic hash source of truth and extension will update automatically as well.
“The extension doesn’t log any data, metadata, or user data, and it does not share any information with WhatsApp. It also does not read or access the messages you send or receive. In fact, neither WhatsApp nor Meta will know whether someone has downloaded the Code Verify extension. Additionally, the Code Verify extension never sends messages or chats between WhatsApp users to Cloudflare,” it further added.
Once installed, Code Verify will run automatically when you go to WhatsApp Web and act as a “real-time alert system” for the code that is being served to a user on WhatsApp Web. It further recommended pinning the extension to the web browser’s toolbar for easy access.
Equating Code Verify to a traffic light for WhatsApp Web code, it explained that the extension will run immediately, and if the WhatsApp Web code is fully validated, the Code Verify icon in the browser will appear green.
If the Code Verify icon appears orange, it means that the user needs to refresh their page or another browser extension is interfering with Code Verify.
“In this instance, Code Verify will recommend that you pause your other browser extensions,” it said.
If the Code Verify icon appears red, it will indicate that there is a possible security issue with the WhatsApp Web code that is being served to the user.