TL;DR: Meta’s WhatsApp suffers from a privacy issue that leaks victim devices’ setup information (mobile device + up to 4 linked devices) to any user, even if blocked and not in contacts. Monitoring this information over time allows potential attackers to gather actionable intelligence about their victim’s devices setup and changes to it (device replaced/ added / removed).

Meta’s WhatsApp is the most popular messaging app in the world, with over five billion downloads and 2.4 billion active users. WhatsApp’s End-to-End Encryption (E2EE) protocol is the cornerstone of protecting its users’ messages’ confidentiality. However, WhatsApp E2EE protocol design suffers from some privacy issues.

Specifically, WhatsApp exposes, by design, some information about the devices used by its users to any user of the platform and does not provide any controls or settings or configuration to allow users to control this exposure (even blocking a user does not solve it) . This may allow attackers to gain some needed information about their victims, such as victims changing their mobile devices and the existence of “companion devices” (e.g. WhatsApp Web).

WhatsApp’s E2EE architecture leaks device info

In 2016, WhatsApp had announced the rollout of End-to-End Encryption (E2EE) protocol to its user base. To support E2EE, the user app must generate a unique crypto key such that potential senders are able to encrypt messages sent to the receiving user in a way that only the receiving user can decrypt.

Since the key is generated on the user device and cannot be known to the server (so the server cannot decrypt), it may need to be regenerated when the app gets re-installed on another device. Therefore, as a by-product, this key is also a sort of an ID for the specific app installation or the device. Consequently, when the user re-installs the WhatsApp application on a new device, other users may infer that such change has happened, as the encryption key had changed.

According to WhatsApp support, if the newly installed app is restored from backup, it maintains the same key to prevent such information leak

In 2021, WhatsApp switched to a Multi-Device architecture allowing users to add “companion” devices (desktop and web apps) to their “primary” mobile device. To support E2EE, these companion devices must have keys too. Theoretically, these keys can be either the primary device’s key and in this case they must be securely distributed to the companion devices, or freshly generated by the companion devices.

WhatsApp chose the latter option and companion devices generate their own keys.

As described in the updated WhatsApp Encryption Overview Technical white paper, each of the user devices, whether it is the user’s mobile “Primary” device that registered the account or a “Companion” device linked to it (e.g. WhatsApp web) has an “Identity Key”. The Identity key is created at the time of installation and remains valid until the app is uninstalled from the device.

When a sender wants to send a message to a multi-device recipient, it creates a session key for each of the recipient devices, which is derived from that device’s Identity Key. Then, the sender “uses client-fanout for all the exchanged messages, which means each message is encrypted for each device with the corresponding pairwise session.

Therefore, due to this design choice of client-fanout (instead of server-fanout) the sender MUST BE aware of all of the receiver’s devices. Since the key exchange protocol is slightly different for primary and companion devices, the sender also knows which of the devices is the primary one.

Consequently, if prior to the multi-device architecture the sender was exposed only to the identity of the receiver’s primary account, after the multi-device architecture change, due to the design decisions taken by WhatsApp, the sender must be aware of all receiver devices’ identities.

Acquiring other users’ device data

One way (which is not the only way) for attackers to obtain WhatsApp users’ device information is by leveraging WhatsApp web client. This client is using the browser’s local storage to store the devices’ identity key.

The browser’s developer tools provide an easy way to view the contents of this table (“Signal-storage.identity-store”) as depicted below.

This table is storing all of the user’s contacts and their corresponding identity keys. Primary devices are identified by the phone number and the ‘.0’ suffix, while companion devices have a ‘:<n>.0’ suffix (e.g. ‘:16.0’).

By sampling a few instances, we had verified that this table’s data indeed corresponds to the actual user devices.

For example this user (“User X”) have 1 primary device and 3 companion devices:

User X’s corresponding entries in the identity store table matched this information perfectly

We had verified that such information is present even when the sender is not part of the receiver contact list and without actually sending messages to the receiver. Blocking the sender on the receiver side does not prevent it from getting device identity information.

Summing up, in order to obtain its victims’ WhatsApp devices information, attackers need to:

1. Know their victims phone number
2. Add victims as contacts, no need to actually send a message to them
3. Use whatsApp web client and monitor the identity-store table for information and changes

It should be noted that this table is just one possible way to obtain this information, as this information is required for the sender by the protocol. Therefore a solution that eliminates this table will only deal with the symptom and not the core issue.

We had responsibly disclosed our findings to Meta’s bug-bounty program on January 9th 2024 but got politely rejected two days later, mainly because this is not an implementation bug but the way the protocol works by design.

Therefore we feel free to share our findings publicly.

Impact

By using the methods described above, attackers can passively query device information of any WhatsApp user. Thus attackers can determine whether users have companion devices and changes in the identity of such devices by continuously monitoring the device information.

As a result such attackers may:

• Use this information to determine the “path of least resistance” and attack the companion device instead of the primary device (and vice versa). Usually companion devices are considered as a softer target and therefore attackers may want to go after them. For example, recently the IDF instructed its reserve duty personnel to remove WhatsApp from their companion devices.
• Pinpoint their attacks and send tailored exploits to the primary mobile devices and benign or invisible messages to the browser and PC based companion devices (and vice versa). Since messages are E2EE the server will not be able to know that the content of the messages sent to the different devices is actually different.
• Learn that their victims had changed mobile devices or computers triggering them to re-attack the victim or seize the opportunity to attack the newly added victim’s platform.

It should be noted that even non-sophisticated attackers, such as a jealous spouse, can abuse such information leakage in itself (new device was bought) or leverage this information (WhatsApp is now accessible on the computer) to get access to WhatsApp content.

Possible solutions

To thoroughly solve these privacy issues, WhatsApp E2EE protocol must be fixed. However, adding a simple security control that allows users to control the exposure of their identity keys and limit them only to their contacts would greatly reduce the impact of this privacy leak.

(Updated 21.1.24) a more thorough blogpost on possible solutions is published

Summing up

WhatsApp is the most popular messaging app in the world, with over five billion downloads and two billion active users. But with great power comes great responsibility.

Meta’s seem to acknowledge that resposibility and claim in their “Security and Privacy” web page that they “Designing for Privacy: Safeguarding your data is our highest priority, and we want to provide a window into how we protect your data and keep it secure.“ and “We’re ensuring new products and features are built with privacy in mind. Learn more about how we’re designing privacy into our products on our Privacy Matters blog.”

We believe that this information leak is an important privacy issue that should be properly acknowledged and fixed by Meta’s WhatsApp in a timely manner.