WhatsApp is making a big security change - here's how it affects you

WhatsApp web code verify extension
(Image credit: WhatsApp)

WhatsApp has revealed a new open source browser extension to help further protect those who use its online messaging service.

The company has teamed up with web infrastructure company Cloudflare to launch Code Verify, which they say provides independent, third-party, transparent verification of the code users are served on WhatsApp Web

This ensures that your WhatsApp Web code hasn't been tampered with or altered.

TechRadar needs yo...

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

While WhatsApp protects the personal messages sent on WhatsApp Web using end-to-end encryption as they transit from sender to recipient, there are numerous factors that can weaken the security of a web browser that don't exist in the mobile app space. 

At the same time, as mobile operating systems such as iOS and Android were created after the web, the security guarantees on mobile can be stronger, particularly when it comes to how app stores review and approve each new app and software update.

In addition to deploying Code Verify for WhatsApp Web, WhatsApp is also offering it as open source software on GitHub so that other services can use it as well.

Code Verify

Subresource integrity is a security feature that allows web browsers to verify that the resources they fetch haven't been manipulated and while this only applies to single files, Code Verify expands on the concept to check the resources of an entire webpage.

In order to do this at scale though, WhatsApp has partnered with Cloudflare to act as a trusted third party. In fact, the company has given Cloudflare a cryptographic hash source of truth for WhatsApp Web's JavaScript code so that when someone uses Code Verify, the extension automatically compares the code running on WhatsApp Web against the version of the code it verified and published on Cloudflare.

The Code Verify extension is offered by Meta Open Source and will be available on the official browser extension stores for Google Chrome, Microsoft Edge and Mozilla Firefox

In a blog post, WhatsApp highlights the fact that its new extension doesn't log any data, metadata or user data and it also doesn't share any information with the service itself. Messages that users send and receive using WhatsApp Web are not read or accessed by the company and neither it or its parent company Meta will even know whether or not someone has downloaded the Code Verify extension.

Once installed, the extension will run automatically whenever you go to WhatsApp Web and will act as a real-time alert system for the code you're being served. You can also pin the extension to your browser's toolbar to see its findings without any additional steps.

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.