WhatsApp may expose the OS you use to run it – which could expose you to crooks

Meta knows messaging service creates persistent user IDs that have different qualities on each device

by · The Register

Updated An analysis of Meta's WhatsApp messaging software reveals that it may expose which operating system a user is running, and their device setup information – including the number of linked devices.

That analysis comes from security researchers at cryptocurrency wallet maker Zengo, who previously found a security weakness in the app's View Once feature – and now claim they’ve found another flaw.

The issue stems from how the application manages its multi-device setup, and the metadata it broadcasts during communication.

"We found out that different implementations of WhatsApp generate that message ID in a different manner, which allows us to fingerprint them to know if it's coming from Windows," Zengo cofounder Tal Be'ery told The Register.

In an explainer, Be'ery detailed how each device linked to a WhatsApp account – whether it's web, macOS, Android, iPhone, or Windows – is assigned a unique and persistent identity key.

The qualities of those keys vary for each OS on which WhatsApp runs: a 32-character ID is created for Android devices, iPhones use a 20-character prefix that is preceded four additional characters, while the WhatsApp desktop app for Windows uses an 18-character ID.

The different qualities of IDs for different platforms, Be’ery argues, mean someone trying to spread malware through WhatsApp could identify users' operating system and target them accordingly.

"It's not the end of the world," he assured. "But when you send malware to a device it's really, really important to know which operating system it runs on, because you have different vulnerabilities and different exploits."

A clever attacker could even look at all IDs associated with a user, figure out all the OSes on which they access WhatsApp, and choose the most vulnerable one to attack, Be'ery suggested.

He noted that Meta had been alerted to the problem and acknowledged the finding on September 17. But since then, the security team at Zengo has heard nothing in response. "It's fairly easy to comprehend," he explained – adding that in the absence of any response, Zengo was taking the issue public.

WhatsApp had no comment at the time of going to press. ®

Updated at 22:30 UTC October 16

Meta has acknowledged the bug report, but did not advise when it intends to fix it.

A spokesperson sent the following info to The Register:

"We appreciate the researcher's submission. We remain focused on protecting our users against many different vectors of attack while still ensuring we can smoothly run a service that over 2 billion people use around the world."

WhatsApp still working on making View Once chats actually disappear for allSo far it's more like View ForeverIain Thomson, 18 Sep 2024WhatsApp's 'View Once' could be 'View Whenever' due to a flawIt promised vanishing messages, but now 'it's privacy theater'Iain Thomson, 09 Sep 2024Meta accused of snarfing people's Snapchat data via traffic decryptionI ain't afraid of no ghosts, but in this case...Thomas Claburn, 27 Mar 2024Venerable ICQ messaging service to end operations in JuneSuggested heir is Putin-approved and hard to download outside RussiaSimon Sharwood, 27 May 2024