WhatsApp, the popular messaging app owned by Meta with over 2 billion active users, has been found to have a concerning privacy issue that leaks users' device information to any other user, according to new findings of cybersecurity expert Tal Be'ery.
In a blog post, Be'ery explains that due to the design of WhatsApp's end-to-end encryption protocol, when a user sends a message to someone using multiple devices with WhatsApp, information about the recipient's devices is leaked to the sender. This includes the recipient's main mobile device as well as up to 4 additional linked devices like desktop or web apps.
Even if the sender is blocked or not in the recipient's contacts, this device information is still exposed. By monitoring these device identities over time, the sender can gather intelligence about changes made to the recipient's WhatsApp setup, like new devices added or removed.
Be'ery outlines how this privacy leak stems from WhatsApp's switch to a multi-device architecture in 2021. To enable end-to-end encryption across devices, each device generates its own encryption keys. The sender then uses these device-specific keys to encrypt each message separately for each of the recipient's devices.
This "client-fanout" approach unavoidably exposes to the sender the identities of all the recipient's devices. While previously senders only saw the mobile device key, now they can see keys for all linked devices as well.
By using WhatsApp web and viewing the browser's local storage, senders can easily see the device identities and monitor changes over time. Be'ery confirmed through testing that this data matches actual user devices and is available even for blocked contacts.
The identity store table: All contacts’ devices and their Identity Keys |
The privacy implications of this are concerning. Attackers could use this information to target the most vulnerable devices, pinpoint attacks for specific devices, or detect when users get new devices to re-target them. Be'ery notes even non-technical users like jealous spouses could monitor devices or leverage the info.
Be'ery responsibly disclosed this issue to Meta's bug bounty program, but it was rejected as Meta mentioned the protocol is working as designed rather than a bug. He suggests adding user controls to limit identity exposure to only contacts as a solution.
This research highlights a troubling vulnerability in WhatsApp's vaunted end-to-end encryption. While messages are encrypted in transit, the collateral leakage of device information outside of contacts undermines user privacy and security.
As Be'ery states, with over 2 billion users, WhatsApp has an enormous responsibility to safeguard user data. This exposure of device information without user consent appears to contradict Meta's public commitments to "designing for privacy" in its products.
For now, WhatsApp users should be aware that their device information is visible to anyone they interact with on the platform. Expert users may want to limit linked devices or regularly reset installation keys to minimize long-term tracking.
As encryption and privacy continue to be competitive priorities for tech companies, this research underscores the need for rigorous external auditing of protocols and designs. Cryptography is complex - accountability from outside experts can ensure big platforms aren't compromising user privacy in the name of convenience.