Skip to content

WhatsApp might expose your device’s OS and other sensitive info

  • by
  • 2 min read

A critical vulnerability in WhatsApp allows attackers to obtain the operating system, device setup information, and the number of linked devices by exploiting the unique ‘Message ID’ assigned to each message sent on the platform.

WhatsApp’s End-to-End Encryption (E2EE) protocol is touted as a central feature safeguarding user privacy, ensuring that messages can only be read by the sender and intended recipient. However, researchers earlier this year pointed out design flaws within the platform’s Multi-Device feature, which could leak device information to other users.

The real breakthrough in this research came from the discovery that attackers can now identify a WhatsApp user’s specific operating system through its ‘Message ID’ structure. Each message sent from WhatsApp generates a unique ID based on the device it originated from, and these IDs vary depending on the operating system.

By analysing the message IDs, researchers could reliably distinguish between devices running Android, iOS, Mac, and Windows.

Although seemingly benign at first glance, this information could be a valuable asset for attackers during reconnaissance, the first stage of a cyberattack. Knowing the victim’s device setup and operating system helps bad actors tailor their attack strategies, targeting vulnerabilities specific to certain platforms.

Message ID length and prefix of different operating systems. | Source: Tal Be’ery on Medium

However, this approach unintentionally reveals certain information about the user’s device status. Attackers can also use this technique to track device activity over time.

For example, a suspicious actor might be able to determine whether a target is using a new device or which device is currently active, making it easier to launch a tailored attack.

This capability significantly elevates the risk posed by information leaks, as it allows attackers to determine the type of device and its operating system, making it easier to exploit known vulnerabilities. Hackers, particularly those with advanced skills, could use this information to target the most vulnerable device in a user’s ecosystem.

Researchers disclosed the vulnerability to Meta in September 2024. While Meta responded promptly with an initial evaluation, they have since remained silent, failing to communicate further updates or solutions.

In the News: Github patches critical flaw in enterprise server

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>