Cybersecurity experts from the crypto wallet company Zengo have found a weakness in WhatsApp, Meta’s messaging app, through which a hacker could know which operating system the device from which we are using the application uses, as well as aspects of your configuration.
As explained by security researcher Tal Be’ery, “WhatsApp exposes, by design, certain information about the devices used by its users to any user of the platform and does not provide any controls or settings that allow users to control this exposure ( Even blocking a user doesn’t solve it), writes Be’ery on his blog.
This information can be extracted from the encryption key that is added to the metadata of the messages, and has to do with how the app manages its multi-device system. With this data, an attacker can know how many and what type of devices we use to enter WhatsApp.
And each of these keys is generated differently depending on the device:
- On Android devices, a 32-character ID is created.
- On iPhone phones, a 20-character prefix is used that follows four additional characters.
- In the WhatsApp desktop app for Windows, an 18-character ID is created.
This is dangerous because, if an attacker has any type of access to WhatsApp communications with the victim, they could use this information to send specialized malware to the victim’s device, which can specifically affect a Windows computer, an Android phone or to a macOS PC, for example.
Specifically, they warn that a cybercriminal could obtain information about:
- The number of user devices: The WhatsApp user must have a primary mobile device and up to four complementary non-mobile devices (desktop app, Web).
- Long-term device identifiers: Each device is assigned a unique, immutable WhatsApp ID that is exposed to potential senders, allowing for continuous monitoring and identification of the active device.
- The basic identification of the device type: whether the device is the primary mobile device or one of four non-mobile companion devices (desktop app, web).
In the words of Tal Be’ery, this information “can allow attackers to obtain necessary information about their victims, such as the number of devices, changes in configuration by monitoring this data over time, and what message was sent why.” device (including acknowledgments and read receipts)”.
Goal, aware of the problem
From Zengo they have warned Meta about the findings of their investigation, and explain that from Meta they confirmed knowing about this circumstance on September 17.
Since then they have not commented on the matter, so it is unknown if they are working on a solution or if, on the contrary, they consider this fact as a minor problem, while WhatsApp uses an encryption protocol (E2EE) to protect your communications and simply knowing this information does not mean that someone can infect us with malware on their own.