Code Verify is based on the concept of subresource integrity, in which browsers check the integrity of a fetched file, but it extends the concept to all resources on a website and uses Cloudflare as a trusted third party.
According to Meta, WhatsApp Web users can now utilise the plugin to confirm that the program has not been tampered with or altered. The plugin was created to automatically compare WhatsApp Web code to a cryptographic hash source of truth entrusted to Cloudflare, and to warn the user if any inconsistencies are discovered.
Cloudflare’s third-party verification, according to Meta, performs the tests automatically, in real-time, and at scale. Code Verify and the cryptographic hash source of truth on Cloudflare are updated whenever WhatsApp Web is updated.
Code Verify is now available for Chrome and Microsoft Edge, and will shortly be available for Firefox. According to Meta, users may rest certain that their privacy is protected because the extension logs no data or metadata, shares no information with WhatsApp, and has no access to user messages.
“In fact, neither WhatsApp nor Meta will know whether someone has downloaded the Code Verify extension. Additionally, the Code Verify extension never sends messages or chats between WhatsApp users to Cloudflare,” Meta says.
If the WhatsApp Web code is fully validated, Code Verify runs immediately after installation and displays a green icon in the browser. If a page refresh is required or if an extension is interfering with Code Verify, an orange icon will appear; if potential security vulnerabilities are discovered, a red icon will emerge.
The extension is now publicly available on GitHub, allowing others to use it to verify their own applications. Meta also intends Code Verify to evolve as a result of community contributions by making it open source.
“We believe that with Code Verify, we are charting new territory with automatic third-party code verification, particularly at this scale. We hope that more services use the open source version of Code Verify and make third-party verified web code the new norm,” Meta says.