WhatsApp may expose the OS you use to run it – which could expose you to crooks
- Reference: 1729052770
- News link: https://www.theregister.co.uk/2024/10/16/whatsapp_privacy_concerns/
- Source link:
That analysis comes from security researchers at cryptocurrency wallet maker Zengo, who previously [1]found a security weakness in the app's View Once feature – and now claim they’ve found another flaw.
The issue stems from how the application manages its multi-device setup, and the metadata it broadcasts during communication.
[2]
"We found out that different implementations of WhatsApp generate that message ID in a different manner, which allows us to fingerprint them to know if it's coming from Windows," Zengo cofounder Tal Be'ery told The Register .
[3]
[4]
In an [5]explainer , Be'ery detailed how each device linked to a WhatsApp account – whether it's web, macOS, Android, iPhone, or Windows – is assigned a unique and persistent identity key.
The qualities of those keys vary for each OS on which WhatsApp runs: a 32-character ID is created for Android devices, iPhones use a 20-character prefix that is preceded four additional characters, while the WhatsApp desktop app for Windows uses an 18-character ID.
[6]
The different qualities of IDs for different platforms, Be’ery argues, mean someone trying to spread malware through WhatsApp could identify users' operating system and target them accordingly.
"It's not the end of the world," he assured. "But when you send malware to a device it's really, really important to know which operating system it runs on, because you have different vulnerabilities and different exploits."
[7]WhatsApp still working on making View Once chats actually disappear for all
[8]WhatsApp's 'View Once' could be 'View Whenever' due to a flaw
[9]Meta accused of snarfing people's Snapchat data via traffic decryption
[10]Venerable ICQ messaging service to end operations in June
A clever attacker could even look at all IDs associated with a user, figure out all the OSes on which they access WhatsApp, and choose the most vulnerable one to attack, Be'ery suggested.
He noted that Meta had been alerted to the problem and acknowledged the finding on September 17. But since then, the security team at Zengo has heard nothing in response. "It's fairly easy to comprehend," he explained – adding that in the absence of any response, Zengo was taking the issue public.
WhatsApp had no comment at the time of going to press. ®
Get our [11]Tech Resources
[1] https://www.theregister.com/2024/09/18/whatsapp_view_once_flaw_unfixed/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zw-OxYV9VxBt4bCF0GpUUgAAAIM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zw-OxYV9VxBt4bCF0GpUUgAAAIM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zw-OxYV9VxBt4bCF0GpUUgAAAIM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://medium.com/@TalBeerySec/i-know-which-device-you-used-last-summer-fingerprinting-whatsapp-users-devices-71b21ac8dc70
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zw-OxYV9VxBt4bCF0GpUUgAAAIM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2024/09/18/whatsapp_view_once_flaw_unfixed/
[8] https://www.theregister.com/2024/09/09/whatsapp_view_once_flaw/
[9] https://www.theregister.com/2024/03/27/meta_snapchat_data/
[10] https://www.theregister.com/2024/05/27/icq_end_of_service/
[11] https://whitepapers.theregister.com/
Real friends...
Don't ask you to install an app just for the privilege to be able to talk to them...
Re: Real friends...
In my experience, real friends will make every effort to stay in touch with you, and if that means using a different app will do so. Fake friends will just complain 'but you're not on facebook' as justification for not bothering and being lazy and unwilling to suffer an inconvenience. When I left facebook 12 yrs ago... I soon found that out. I have 2 friends left out of all of them.
Installing a more secure app for your more privacy & security concious friends, is for their benefit too.
But never underestimate how lazy people are and unwilling to suffer any tiny inconvenience that doesn't conform/align with their demands.
Facts, not scare stories
> someone trying to spread malware through WhatsApp
This article is all supposition ( ... may ... ... could ... ) but short on facts and specifics.
Is there any actual Whatsapp malware (assuming nobody is daft enough to use a fake Whatsapp app). Considering it is end-to-end encrypted, I would love to know how someone could inject malware into the circuit - short of sending an attachment from a legitimate Whatsapp account.
And if they did put a payload in an attachment, why bother targeting just one specific platform?
"...which could expose you to crooks..."
Really?
Define "crooks"!!
So...this weakness "could expose you to the NSA, GCHQ and various other Five Eyes snoops".
Ah....but then El Reg is a known supporter of the so-called "good guys". Bad journalism!
Re: "...which could expose you to crooks..."
Why is this thread already full of oddballs? They're usually more diluted than this.
Stop unknown contacts
Should have an option to auto block unknown contacts.
If you are not a contact of mine then I do not know you and do not want to engage with you at all in anything. Once I know who you are and have your number you are added to a contact list.
If you are starred, you can ring me
If you are not starred and ring me, I will see and I may get back to you
If you are not in my contact list, leave a message and hope I listen to it as otherwise I will ignore you.
Private / Withheld calls - never bother with
stopped using these crooks for non business use years ago!
for business use... been freeloading for ages ... fair game ... use and abuse :)
for my penance (and satisfaction) i run this on an el cheapo ionos vm .... https://github.com/signalapp/Signal-TLS-Proxy
doing my bit :)
PS another upside .... in this vacuos social media world ..... you soon find who ur real friends are .... they will just install signal or ask you to install it for them, others end up using the freeloading business account (and so mostly ignored unless they are usefull)