An analysis of Meta's WhatsApp messaging software reveals that it may expose which operating system a user is running, and their device setup information – including the number of linked devices.
That analysis comes from security researchers at cryptocurrency wallet maker Zengo, who previously found a security weakness in the app's View Once feature – and now claim they’ve found another flaw.
The issue stems from how the application manages its multi-device setup, and the metadata it broadcasts during communication.
"We found out that different implementations of WhatsApp generate that message ID in a different manner, which allows us to fingerprint them to know if it's coming from Windows," Zengo cofounder Tal Be'ery told The Register.
In an explainer, Be'ery detailed how each device linked to a WhatsApp account – whether it's web, macOS, Android, iPhone, or Windows – is assigned a unique and persistent identity key.
The qualities of those keys vary for each OS on which WhatsApp runs: a 32-character ID is created for Android devices, iPhones use a 20-character prefix that is preceded four additional characters, while the WhatsApp desktop app for Windows uses an 18-character ID.
The different qualities of IDs for different platforms, Be’ery argues, mean someone trying to spread malware through WhatsApp could identify users' operating system and target them accordingly.
"It's not the end of the world," he assured. "But when you send malware to a device it's really, really important to know which operating system it runs on, because you have different vulnerabilities and different exploits."
- WhatsApp still working on making View Once chats actually disappear for all
- WhatsApp's 'View Once' could be 'View Whenever' due to a flaw
- Meta accused of snarfing people's Snapchat data via traffic decryption
- Venerable ICQ messaging service to end operations in June
A clever attacker could even look at all IDs associated with a user, figure out all the OSes on which they access WhatsApp, and choose the most vulnerable one to attack, Be'ery suggested.
He noted that Meta had been alerted to the problem and acknowledged the finding on September 17. But since then, the security team at Zengo has heard nothing in response. "It's fairly easy to comprehend," he explained – adding that in the absence of any response, Zengo was taking the issue public.
WhatsApp had no comment at the time of going to press. ®