WhatsApp Multi-Device Feature Vulnerability Exposes User Device Information

A recently discovered security vulnerability in WhatsApp's Multi-Device feature poses a potential threat to user privacy. This flaw allows hackers to glean information about the types of devices, their operating systems, and the number of devices used to access a single WhatsApp account.

Exploiting Message Identifiers

This vulnerability stems from WhatsApp's practice of generating unique message identification codes (message IDs) for each platform. These IDs vary in length and structure depending on whether the user is using a Windows, MacOS, Android, or iOS device. For example, Android phones generate 32-character message IDs, while iPhones use 20-character IDs with a prefix. WhatsApp Desktop for Windows employs 18-character IDs.

Targeted Attacks

By analyzing these message IDs, hackers can identify the platform a message originated from. This knowledge allows them to tailor their attacks based on the user's device. If a user is using a Windows device, they may be targeted with malware designed to compromise Windows systems. Similarly, Android users could be sent malware specifically crafted for their platform.

Zengo's Discovery

The vulnerability was discovered by security researchers at Zengo, a company specializing in cryptocurrency wallets. Tal Be'ery, Zengo's co-founder, highlighted the potential for exploitation, stating, "We found that different WhatsApp implementations on different platforms generate different message IDs, which allows us to identify them and know if a message originated from Windows."

Meta's Acknowledgement

Zengo has notified Meta, WhatsApp's parent company, about the vulnerability. As of October 16, 2024, Meta has acknowledged the bug report but has yet to disclose a timeline for a fix. A Meta spokesperson stated, "We appreciate the researchers’ submission. We remain focused on protecting our users from various attacks while ensuring we can seamlessly run the services used by over 2 billion people around the world."

Prior Vulnerability

This isn't the first time Zengo researchers have uncovered vulnerabilities in WhatsApp. Previously, they identified a flaw in the View Once feature, which allows users to send disappearing photos and videos. This bug enabled users to repeatedly view these messages, potentially compromising the privacy of sensitive content. However, Meta addressed this issue on September 12, 2024.

What specific information does the vulnerability expose about WhatsApp users?

This vulnerability reveals the types and number of devices a user is accessing WhatsApp on, as well as the operating systems (OS) used by each device. This information allows hackers to tailor their attacks based on the specific device and OS.

How does WhatsApp's Multi-Device feature contribute to this vulnerability?

The Multi-Device feature allows users to access their WhatsApp account on multiple devices simultaneously. Hackers can exploit this feature by analyzing the different message IDs generated by each device to identify the platform, and then target users with platform-specific malware.

What measures can users take to mitigate the risk of this vulnerability?

Users should be cautious about clicking on suspicious links or downloading files from unknown sources. This vulnerability has not been widely exploited yet, but taking these precautions can help protect against potential attacks.

What is the specific cause of the vulnerability in WhatsApp's Multi-Device feature?

The vulnerability stems from WhatsApp generating different message IDs based on the platform being used, such as Windows, macOS, Android, or iPhone. These unique message IDs can be identified and exploited by hackers to gather information about the user's devices and target them with malware.

User Awareness

While this specific vulnerability has yet to be widely exploited, it's crucial for users to remain vigilant. Avoiding clicking on suspicious links and refraining from downloading files from untrusted sources are essential precautions. Users are awaiting Meta's swift resolution to ensure the continued security and privacy of WhatsApp communications.