October 16, 2024 at 12:34AM
Security researchers from Zengo have identified a flaw in WhatsApp that exposes users’ operating systems and device information through unique message IDs. This vulnerability could enable attackers to target specific devices based on their OS. Meta has acknowledged the issue but has not responded further since it was reported.
### Meeting Takeaways:
1. **Security Flaw Identified**: Zengo, a cryptocurrency wallet company, has reported a new security vulnerability in Meta’s WhatsApp, which potentially exposes user operating systems and device setup information.
2. **Metadata Issues**: The flaw is linked to how WhatsApp handles multi-device setups and the metadata shared during communication.
3. **Unique Device Identifiers**: Each device connected to a WhatsApp account is given a distinct identity key, varying in length and structure by operating system:
– **Android**: 32-character ID
– **iPhone**: 24-character ID (20-character prefix + 4 additional characters)
– **Windows Desktop App**: 18-character ID
4. **Potential Risks**: The different characteristics of these IDs allow malicious actors to fingerprint users and identify their operating systems. This knowledge could enable targeted malware attacks, exploiting specific vulnerabilities.
5. **Communication with Meta**: Zengo notified Meta of this security issue on September 17, but has not received any feedback since the alert.
6. **Public Disclosure**: Due to the lack of response from Meta, Zengo has decided to publicly disclose the vulnerability.
7. **WhatsApp’s Response**: No comment was provided by WhatsApp regarding the reported issue at the time of publication.
These findings highlight the importance of addressing security vulnerabilities promptly to protect users’ private information and device security.