Meta releases open source browser extension to verify WhatsApp Web

Meta has released Code Verify in collaboration with Cloudflare. This is a browser extension that automatically verifies the authenticity of the code on the WhatsApp Web website when users log in to it. The extension is coming to Chrome, Edge and Firefox.

Using Code Verify ensures that users can rest assured that if they use WhatsApp Web, the code has not been tampered with. The parent company of Facebook and WhatsApp wants to make it more difficult for attackers to intercept messages from users who use WhatsApp in the browser.

According to Meta, Code Verify is based on the concept of sub-resource integrity. This is a security feature that allows browsers to verify that the content they download has not been tampered with. That only works with individual files, while Code Verify checks all resources on the full page, according to Meta. To be able to do that on a large scale, Meta has partnered with Cloudflare.

Meta has provided Cloudflare with a cryptographic hash of WhatsApp Web’s JavaScript code. The Code Verify extension then compares the code in the user’s browser with the verified code held by Cloudflare. Comparing hashes to see if code has been tampered with isn’t new, Meta also says. However, the company states that the way in which this is done automatically with Code Verify and the scale at which this can now take place is innovative.

If the extension is installed, it will be activated automatically when WhatsApp Web is visited. With traffic light colors, the extension shows if everything is okay, or if there are problems. An orange circle is visible when there is a network timeout or detection of a potential risk. If the extension detects that the code does not match, the icon will turn red with an exclamation mark. A click on the icon should provide more information.

The Code Verify extension is available for Chrome and Edge. A Firefox version will follow later. According to Meta, the browser extension does not log any data, metadata or user data and no information is shared with WhatsApp. The extension also does not have access to messages, the company emphasizes. It is an open source extension and the source code is on GitHub.