Skip links

WhatsApp emits extension to detect tampering with desktop web apps

WhatsApp and Cloudflare have teamed up to provide desktop users of WhatsApp’s web client with a browser extension called Code Verify that checks the integrity of the software running in their browser.

WhatsApp offers end-to-end encryption that protects the user messages from being read by network intermediaries. But the Meta-owned biz would like to add more security to its web client, because web security differs from native app security and WhatsApp is seeing more web usage.

Code Verify, according to Richard Hansen, software engineer at Meta, and Vincente Silveira, product manager for WhatsApp, builds on a browser security feature called subsource integrity that allows browsers to check whether fetched files have been altered.

Where subsource integrity checks individual files against a cryptographic hash, Code Verify looks at all the JavaScript code on the WhatsApp web page. As that’s rather resource-intensive to do at scale, WhatsApp has partnered with Cloudflare to handle the verification.

“Cloudflare holds a hash of the code that WhatsApp users should be running,” said Matt Silverlock, director of product, James Allworth, head of innovation, and Mari Galicer, security technologist, in a blog post.

“When users run WhatsApp in their browser, the WhatsApp Code Verify extension compares a hash of that code that is executing in their browser with the hash that Cloudflare has – enabling them to easily see whether the code that is executing is the code that should be.”

Code Verify is available for Google Chrome, Microsoft Edge, and Mozilla Firefox, with support for Safari planned. Once installed, it runs immediately and tries to validate WhatsApp’s JavaScript libraries. The scheme shows green if everything validates, orange if the page needs to be refreshed or another extension is interfering with Code Verify, and red if a hash mismatch has been detected, indicating a potential security issue.

WhatsApp’s integrity checking extension could make users of WhatsApp and other services that implement Code Verity less inclined to install extensions that alter social network functions and pose potential security concerns by raising alerts. It may also discourage the use of content blocking and privacy extensions. The Register tested Code Verify with uBlock Origin and Privacy Badger active, among other extensions, and Code Verify presented an orange badge with the following warning:

Possible Risk Detected

Cannot validate the page due to another browser extension. Consider pausing the other extension(s) and re-trying.

This scenario is covered in a support page for Code Verify. It suggests the need for an additional extension to bulk disable and re-enable every other installed extension, just to make sure Code Verify can conduct its code check without meddling.

Perhaps aware of the reputation of Facebook’s discontinued data-harvesting VPN Onavo, Hansen and Silveira offer assurance that Code Verify does not have a secret agenda to gather user data.

“The extension does not log any data, metadata, or user data, and it does not share any information with WhatsApp,” they claim. “It also does not read or access the messages you send or receive. In fact, neither WhatsApp nor Meta will know whether someone has downloaded the Code Verify extension. Additionally, the Code Verify extension never sends messages or chats between WhatsApp users to Cloudflare.”

Code Verify has been released as open source code so that any website can use it.

“We believe that with Code Verify, we are charting new territory with automatic third-party code verification, particularly at this scale,” said Hansen and Silveira. “We hope that more services use the open source version of Code Verify and make third-party verified web code the new norm.” ®