1/ A technical writeup on @Meta’s @WhatsApp privacy issue:
WA leaks victim devices’ end-to-end encryption (E2EE) identity information (mobile device + up to 4 linked devices) to any user, by design, even if blocked and not in contacts.
medium.com/@TalBeerySec/h…
2/ for example it can be applied on Hamas leaders (which obviously I did not have previous communication with)
3/ monitoring this device identity information over time allows potential attackers to gather actionable and valuable intelligence about their victim’s devices setup and changes to it (device replaced/ added / removed)
4/ This issue is not intrinsic to end-to-end encryption (E2EE) and stems from WhatsApp design choices to have "client fanout" and different keys for each device.
Sender is responsible for sending a different message to each of the recipient devices and thus must know them + keys
5/ I had reported to @Meta @WhatsApp and their response was that it works as designed.
They are right, but their design is wrong.
6/ I would expect WhatsApp to at least allow users to not expose such details to users that are not in their contact list (like they do with other features such as profile pic)
7/ currently nothing stops advanced cyber attackers, or even simple jealous ex-partner from spying on their victims and getting alerted about new devices they own and new opportunities to attack.
I hope @Meta @WhatsApp would reconsider and fix these issues.
8/ many thanks to my friends and family that helped with this research:
@t_tsafi @ace__pace @OphirHarpaz @LevAretz @yanivazaria @OmerShlomovits @GaryBenattar
And thank you @TechCrunch @lorenzofb for coverage techcrunch.com/2024/01/17/psa…
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.