WhatsApp and Cloudflare have teamed up to provide desktop users of WhatsApp’s web client with a browser extension called Code Verify that verifies the integrity of software running in their browser.
WhatsApp offers end-to-end encryption that protects users’ messages from being read by network intermediaries. But the Meta-owned company would like to add more security to its web client, as web security differs from native app security and WhatsApp is seeing more web usage.
Code Verify, according to Richard Hansen, software engineer at Meta, and Vincente Silveira, product manager for WhatsApp, relies on a browser security feature called subsource integrity that allows browsers to verify whether files retrieved have been modified.
Where Subsource Integrity verifies individual files against a cryptographic hash, Code Verify examines all JavaScript code on the WhatsApp webpage. Since this is resource-intensive to do at scale, WhatsApp has partnered with Cloudflare to handle the verification.
“Cloudflare has a hash of the code that WhatsApp users should run,” Product Manager Matt Silverlock, Chief Innovation Officer James Allworth, and Security Technologist Mari Galicer said in a blog post.
“When users run WhatsApp in their browser, the WhatsApp Code Verify extension compares a hash of that code running in their browser with Cloudflare’s hash, allowing them to easily see if the code running is the code which should be .”
Code Verify is available for Google Chrome, Microsoft Edge, and Mozilla Firefox, with Safari support planned. Once installed, it runs immediately and tries to validate WhatsApp’s JavaScript libraries. The schema is green if everything passes, orange if the page needs to be refreshed or another extension is interfering with Code Verify, and red if a hash mismatch has been detected, indicating a potential security issue.
The WhatsApp Integrity Checker extension could make users of WhatsApp and other services that implement Code Verity less inclined to install extensions that modify social media functions and pose potential security issues by triggering alerts. It may also discourage the use of content blocking and privacy extensions. The register tested Code Verify with uBlock Origin and Privacy Badger active, among other extensions, and Code Verify presented an orange badge with the following warning:
Failed to validate the page due to another browser extension. Consider pausing other extensions and trying again.
This scenario is covered in a support page for Code Verify. This suggests the need for an additional extension to bulk disable and re-enable all other installed extensions, just to ensure that Code Verify can perform its code verification without interference.
Perhaps aware of the reputation of Onavo, Facebook’s deprecated data-collecting VPN, Hansen and Silveira offer assurances that Code Verify has no secret program to collect user data.
“The extension does not log any data, metadata, or user data, and does not share any information with WhatsApp,” they claim. “It also does not read or access any messages you send or receive. In fact, neither WhatsApp nor Meta will know if someone has downloaded the Code Verify extension. Also, the Code Verify extension does not never sends messages or chats between WhatsApp users to Cloudflare.”
Code Verify has been released as open source code so that any website can use it.
“We believe that with Code Verify, we are breaking new ground with automatic third-party code verification, especially at this scale,” said Hansen and Silveira. “We hope more services will use the open source version of Code Verify and make third-party verified web code the new normal.” ®