WhatsApp Introduces Browser Extension to Make Sure You’re Using Its Authenticated Web Version

WhatsApp Introduces Browser Extension to Make Sure You’re Using Its Authenticated Web Version
WhatsApp has made the browser extension to help you verify the authenticity of WhatsApp Web version

WhatsApp on Friday introduced a Web browser extension called Code Verify that lets users check whether the WhatsApp Web version they are using on their system is authenticated. The Web extension automatically verifies the authenticity of the WhatsApp Web code being served to the users and confirms that their messaging experience is secure and not tampered with, the company owned by Meta said. The Code Verify extension has been developed in partnership with Cloudflare, a Web infrastructure and security company. It's available as an open-source project to let other companies, groups, and individuals integrate the same experience for their apps. Open-sourcing will also help receive contributions from developers around the world to improve the extension over time.

Available for download on Chrome, Firefox, and Edge, the Code Verify extension checks for the resources on the entire webpage to verify the authenticity of the code when you open WhatsApp Web on your mobile or desktop browser.

“We've given Cloudflare a cryptographic hash source of truth for WhatsApp Web's JavaScript code. When someone uses Code Verify, the extension automatically compares the code that runs on WhatsApp Web against the version of the code verified by WhatsApp and published on Cloudflare,” the instant messaging app said in a blog post.

Once the code is verified by the extension, it notifies users whether the Web client they are using is authenticated.

The Code Verify extension runs automatically when you use WhatsApp Web on your browser. It shows a checkmark in a green circle when it is pinned to the toolbar of your browser to reflect that the code of your WhatsApp Web has been fully validated.

In case the extension is unable to validate the code that has been served to you on the Web client of the messaging app, you will get three distinct messages — depending on the issue.
  • Network Timed Out: If your page can't be validated because your network has timed out, your Code Verify extension will display an orange circle with a question mark.
  • Possible Risk Detected: If one or more of your extensions is interfering with its ability to verify the page, your Code Verify extension will display an orange circle with a question mark.
  • Validation Failure: If the extension detects that the code you're using to run WhatsApp Web is not the same as the code everyone else is using, the Code Verify icon will turn red and show an exclamation mark.
You can see more information about the validation by clicking on the Code Verify extension icon in your toolbar when it is green, orange, or red. If there is an issue, you can hit the Learn More button to know more about how you can solve the authentication problem. You can also download the source code if you want to investigate the issue further or get it verified by an agency.

One of the primary reasons for WhatsApp to introduce a browser extension to verify its authenticity is to help protect users from unknowingly using any malicious versions of the messaging service. It acts as a real-time alert system to let users know whether they are using the authenticated WhatsApp Web on their browser.

It has indeed become important for WhatsApp to protect users on its Web version — just like how it is trying to protect on the mobile app — since it recently enabled users to access the messaging service simultaneously on multiple devices. The company said in its blog post that since the introduction of the multi-device capability, it has seen an increase in people accessing WhatsApp through their Web browser via WhatsApp Web.

WhatsApp notes in an FAQ page that the new extension doesn't log any data, metadata, or user data, and doesn't share any information with WhatsApp. The extension also doesn't read or access your messages, the company said. It also promises that neither WhatsApp nor Meta will know whether someone has downloaded the extension.

Unlike a mobile app where developers have the ability to protect users by giving access only through authenticated app stores — like Apple's App Store and Google Play store — and by rolling out regular updates, Web clients normally don't have that level of protection. Things could also go wrong if you download a malicious extension or visit a suspicious webpage from your browser. It, thus, makes sense for WhatsApp to introduce a native Web extension to validate the code and notify users in case of any tampering issues.

Having said that, code tampering is not the only security flaw that could impact users on WhatsApp Web. It is still vulnerable and could let hackers gain access to your system or trap you into phishing attacks via malicious links.

Users are, therefore, recommended to always avoid clicking on any pesky links and avoid interacting with suspicious people online. WhatsApp has also given a mechanism to help report suspicious and spam accounts.