WhatsApp has released a new open source browser extension to help further protect those who use its messaging service on the web.
The new extension is called Code Verify and it works in partnership with the web infrastructure company Cloudflare to provide independent, third-party, transparent verification of the code users are served on WhatsApp Web. This ensures that your WhatsApp Web code hasn’t been tampered with or altered.
While WhatsApp has protected the personal messages sent on WhatsApp Web using end-to-end encryption for years now as they transit from sender to recipient, there are numerous factors that can weaken the security of a web browser that don’t exist in the mobile app space. At the same time, as mobile operating systems such as iOS and Android were created after the web, the security guarantees on mobile can be stronger, particularly when it comes to how app stores review and approve each new app and software update.
In addition to deploying Code Verify for WhatsApp Web, WhatsApp is also offering it as open source software on GitHub so that other services can use it as well.
Subresource integrity is a security feature that allows web browsers to verify that the resources they fetch haven’t been manipulated and while this only applies to single files, Code Verify expands on the concept to check the resources of an entire webpage.
The Code Verify extension is offered by Meta Open Source and will be available on the official browser extension stores for Google Chrome, Microsoft Edge and Mozilla Firefox. In a blog post, WhatsApp highlights the fact that its new extension doesn’t log any data, metadata or user data and it also doesn’t share any information with the service itself. Messages that users send and receive using WhatsApp Web are not read or accessed by the company and neither it or its parent company Meta will even know whether or not someone has downloaded the Code Verify extension.
Once installed, the extension will run automatically whenever you go to WhatsApp Web and will act as a real-time alert system for the code you’re being served. You can also pin the extension to your browser’s toolbar to see its findings without any additional steps.