Zengo Study Reveals Privacy Flaws in WhatsApp’s Multi-Device Mode

WhatsApp Messenger has encountered significant privacy issues. The application, renowned for its end-to-end encryption (E2EE), has proven vulnerable due to the functionality of its Multi-Device mode. According to a new study by Zengo, attackers can gain access to information about the devices in use and even determine their operating system, greatly simplifying the preparation of attacks.

In Multi-Device mode, each user’s device must establish a separate encryption session with the recipient’s devices. For example, sending a message from Alice to Bob, who has five connected devices, requires the creation of five individual encrypted sessions. This results in a leakage of information, as senders can learn details about the recipient’s devices, while the devices themselves retain cryptographic keys, allowing active devices to be tracked over time.

Attackers can access the following data:

• Number of devices: WhatsApp supports one primary mobile device and up to four additional ones (desktop apps or the web version);
• Persistent device identifiers: Each device receives a unique identifier, enabling its activity to be tracked;
• Device type: It can be determined whether the device is the main mobile one or an additional desktop.

To clarify the data, researchers examined the process of generating message identifiers (Message ID) across various platforms. They found that the structure of the ID varies depending on the operating system. For instance, messages sent from the web client begin with “3EB0,” identifying the device as the web version.

A table demonstrates the differences in the length and prefix of Message IDs across WhatsApp platforms: Web, Android, iPhone, Mac, and Windows Desktop. The table includes information on the identifier length, the presence of prefixes, and additional notes for each platform, aiding in the analysis and tracking of devices.

It is possible not only to distinguish between iPhone and Mac but also to verify the type of device (mobile or desktop) and its OS, enabling more precise tracking of user activity.

The information obtained provides hackers with several opportunities:

• Determining the device’s operating system: Vulnerabilities are often OS-specific, allowing for targeted exploitation;
• Choosing the least secure device: Desktop devices are generally less secure than mobile ones, making them a priority target;
• Identifying the active device: Attackers can wait for the moment when the desired device is not in use to carry out an attack.

Even less experienced cybercriminals can use such a leak for surveillance. For instance, discovering a new device or detecting WhatsApp usage on a computer might raise suspicions.

Researchers informed Meta* about the issue on September 17 and received an initial response the same day. However, no further action has been taken by the company, and additional inquiries have gone unanswered. The experts decided to disclose their findings as similar vulnerabilities are already being exploited in popular open-source projects like whatsapp-web.js.

The report’s authors conclude that while WhatsApp has always emphasized the importance of privacy through end-to-end encryption, the current situation highlights the company’s insufficiently swift response to identified security problems. A simple change in the logic of Message ID generation could eliminate the possibility of device identification, but no steps have been taken in this direction. As of now, WhatsApp has not commented.