WhatsApp on the Web is a convenient way to access the messaging service on a desktop, without the hassle of installing an app. However, with the web, there’s always a risk of bad actors trying to trick users. With that in mind, WhatsApp is now offering a browser extension that verifies if users are on the authentic web version, or if they are on a tampered page that can steal data and install malware among other evil deeds.
How to use it
The process of using the browser extension-based security system is easy. Just go to the Chrome web store and search for Code Verify, hit the blue Add to Chrome button, and you’re good to go. As of now, Code Verify only works on Chrome, Edge, and Mozilla Firefox, but a version tailored for Safari is also in the development phase.
Once the browser extension has been installed and pinned to the toolbar, it will start doing its code verification job automatically every time users visit the WhatsApp Web page. And to inform users about the activity status, a color-code indicator system has been put in place. A green icon means everything is fine and there are no security risks.
If the Code Verify icon shows an orange circle with a question mark, it is a sign that the network request was timed out. An orange alert means the network connection might be stable or something is interfering with the verification process. To fix it, try reloading the page, changing the Wi-Fi network, or pausing other browser extensions.
A red indicator with an exclamation mark is a sign that the source code couldn’t be verified, and that’s a possible security risk. In such a scenario, disable the other extensions and reload the WhatsApp Web page to see if the warning sign goes away.
Meta assures that the Code Verify extension doesn’t interfere with the privacy aspect. It won’t log any activity data, collect metadata, or access any of the user information on its own. More importantly, the extension doesn’t let anyone take a peek at the messages as they are end-to-end encrypted, just the way they are on the mobile app.
How it works
Created in collaboration with Cloudflare, Code Verify relies on a security feature called subresource integrity that will check resources on the entire webpage. At the heart of the browser is a hash matching system, which also forms the backbone of Apple’s iCloud photo scanning system for CSAM detection.
“Whenever the code for WhatsApp Web is updated, the cryptographic hash source of truth and extension will update automatically as well,” Meta says in its announcement. The idea is to automate the process of hash matching, and then deploy it on a scale for hundreds of millions of WhatsApp users. Additional in-depth technical details about the Code Verify extension can be found here.
