WhatsApp’s Multi-Device Feature Exposes User Metadata, Enabling OS Fingerprinting
WhatsApp, the globally popular messaging platform with over 3 billion monthly active users, is renowned for its end-to-end encryption (E2EE) that ensures message security. However, recent research has uncovered that the app’s multi-device feature inadvertently leaks metadata, allowing attackers to determine users’ device operating systems. This vulnerability facilitates targeted malware attacks, raising significant privacy and security concerns.
Understanding the Multi-Device Feature and Its Implications
WhatsApp’s multi-device functionality enables users to access their accounts on multiple devices simultaneously without requiring a primary smartphone connection. This is achieved by establishing separate sessions for each linked device, with unique encryption keys generated on the device itself rather than on centralized servers.
While this architecture enhances user convenience, it introduces a critical vulnerability. Differences in the implementation of key identifiers, such as Signed Pre-Key (Signed PK) and One-Time Pre-Key (OTPK), inadvertently reveal whether a device operates on Android or iOS. This information is invaluable to cyber attackers, as it allows them to tailor their exploits to the specific operating system, increasing the effectiveness of their attacks.
The Mechanics of OS Fingerprinting
Attackers can exploit this vulnerability passively by querying WhatsApp servers for session keys without any interaction from the user. By analyzing the patterns in key ID assignments, they can accurately determine the operating system of the target device. For instance, research presented at the WOOT’25 conference highlighted that Android devices increment Signed PK IDs slowly from zero on a monthly basis, whereas iOS devices exhibit distinctly different patterns.
This OS fingerprinting capability enables attackers to deploy operating system-specific malware payloads stealthily. By targeting Android devices with Android-specific malware and avoiding iOS devices, attackers can minimize detection risks and maximize the impact of their malicious campaigns.
WhatsApp’s Response and Partial Mitigation
In response to these findings, WhatsApp has implemented changes to the assignment of Android Signed PK IDs, opting for random values across the 24-bit range. This adjustment aims to disrupt the OS fingerprinting vector. However, the OTPK assignments remain distinguishable, with iOS devices starting at low values and incrementing every few days, while Android devices exhibit a full random span. Consequently, attackers can still reliably determine the operating system using adapted tools.
Critics have pointed out that WhatsApp’s rollout of these changes lacked transparency. The company did not alert researchers, offer bug bounties, or assign Common Vulnerabilities and Exposures (CVE) identifiers to these issues. Such omissions hinder the tracking and collaborative mitigation of vulnerabilities within the cybersecurity community.
Broader Implications and Recommendations
The ability to fingerprint operating systems through WhatsApp’s multi-device feature has significant implications for user privacy and security. Advanced Persistent Threats (APTs) can exploit this vulnerability to deliver tailored malware, as evidenced in cases involving Paragon spyware. Notably, these attacks can occur without any user notifications, preserving the stealth of the malicious activities.
To enhance security, it is recommended that WhatsApp implement full randomization of key assignments across all platforms and improve transparency by assigning CVEs to such vulnerabilities. Users are advised to limit the number of linked devices and monitor their account activity regularly to detect any unauthorized access.
In conclusion, while WhatsApp’s multi-device feature offers enhanced usability, it also introduces vulnerabilities that can be exploited for OS fingerprinting and targeted attacks. Addressing these issues through comprehensive technical solutions and transparent communication is essential to safeguard the privacy and security of WhatsApp’s extensive user base.
