How to Bypass WhatsApp Web's Locked Chat Feature (opens in new tab)

(lcat.dev)

75 pointsloncat42151y ago33 comments

33 comments

Semi-related: On the old F1 website, they'd post the lap and sector times of drivers during an F1 session (practice, qualifying, race). First it was a Java app which had all the data, and then they got fancy and wrote it in JavaScript, and enshittified it: if you don't subscribe to their premium... website offering?.. you just get colored sectors whenever the driver's finished that sector (yellow as they've passed it, green if it's the fastest time they've driven through this sector, purple if it's the fastest of anyone, in the current session). I was wondering if they still had the sector times and just hid it on the frontend, and it was the case. There was an if-block that was called during initialization that checked if user was premium. Adding a breakpoint and adding a condition to set premium = true got me the sector times!

And then they changed their app to use Unity and WASM, and it's all Assembly-esque in the developer tool.

jwrallie1y ago

It’s always good to take a look, many things are decided on the client side, and developer tools are part of the browsers anyway.

The other day I wanted to make reservations for a service to send my luggage from the airport to my house in Japan, and the form was giving me errors.

Searching for the error string around I realized there was a timeout set on the client side, so I increased it and could slowly but smoothly fill in all the information that required a server check.

I guess they never bothered to debug their system when accessing it from the other side of the world. All it needed was a few extra milliseconds for the requests to arrive in time.

kotaKat1y ago

A major ISP's "outage check" feature sends all the data back client-side for the actual outage ticket, including circuit IDs, dispatch status, and if the outage is valid for customer credit. I now just hit that API as needed to check when shit goes sideways.

Meanwhile, if you put your ZIP in you just get a little friendly "We're working on it! :)".

I love data firehoses like that.

lewisleclerc1y ago

One of the dating apps with a web interface had a separate API to increment message counts sent to users. Non-premium users could only like profiles or send a limited number of texts. I simply blocked that API and was able to use the app like a premium user

emptiestplace1y ago

Leave some matches for the rest of us, Lewis. :<

jillyboel1y ago

Yep, this is why I'm not a fan of WASM. It's going to make debugging/reversing webapps much, much harder while that has always been one of the charms of the web.

weikju1y ago

Also makes learning from other sites much harder, which I think is another fundamental appeal of the web.

dizhn1y ago

Almost the same thing happens on one of the famous online guitar tab playing things and there's a little userscript that "fixes" it.

pipe011y ago

https://f1-dash.com/

RandomDistort1y ago

A lot of WhatsApp's features are enforced client-side, which means on Web they just break with DevTools.

I've done some research into this (haven't published it) but also can't get Facebook's bug bounty report tool to work (whenever I create a facebook account it gets autobanned) so I haven't been able to report them either. I wonder if stuff like this would be eligible, I don't see why it wouldn't.

loncat4215OP1y ago

> A lot of WhatsApp's features are enforced client-side, which means on Web they just break with DevTools. This is true. IIRC, there is also a "bug", I think it's unfixable due to WhatsApp's nature at the time, where you can send a message with a tampered quoted reply. It's also done in the DevTools by modifying the quoted message ID to something that doesn't exist.

> I wonder if stuff like this would be eligible, I don't see why it wouldn't. I just reported it, let's see if it's eligible

RandomDistort1y ago

Ok, can you let me know if they say it's valid, as if it is considered valid I'll try again with investigating and reporting some issues I found.

beders1y ago

It is a good reminder for front-end devs that security-through-obscurity is not sufficient. It never has.

Reminds me of a security company that claimed they could force a watermark onto any content in their web-front-end. Turns out it was a canvas overlay you could just simple delete from the HTML. LOL.

Neywiny1y ago

I used a tool in school that outputted svgs with watermarks. So I proved that if I ever wanted to, though I never needed to, I could just delete that element. Trivial.

klysm1y ago

This is such a problem in security - executives don’t know that and will buy all sorts of security theatre bullshit

unixfox1y ago

https://web.archive.org/web/20241206210921/https://lcat.dev/...

thimabi1y ago

I think my expectations for a feature called “locked chats” are somewhat different from those of WhatsApp.

What is the value of locking something if the lock can be easily bypassed? Just preventing the least sophisticated attacks?

In this case, I think WhatsApp should have done better — or refrained from adding this feature at all.

GrantMoyer1y ago

> What is the value of locking something if the lock can be easily bypassed? Just preventing the least sophisticated attacks?

Amusingly, these two questions apply just as well to almost all physical locks in the material world. I suppose that makes WhatsApp's "lock" analogy apt.

drdaeman1y ago

However, we should consider that this is about online privacy features, which is a fairly hot topic nowadays. And it kind of feels that we got drape curtains* instead of a lock - and I think it's not exactly what people would reasonably expect for a feature like this? Or do they clarify that it's a weak protection somewhere?

___

*) I mean, it can be unlocked by literally opening JS console and typing one command. That's a gate latch at best.

loncat4215OP1y ago

> In this case, I think WhatsApp should have done better — or refrained from adding this feature at all.

At least they should encrypt the messages instead of making it seems like it's encrypted. AFAIK, in the mobile WhatsApp, locked chats will get wiped without screen lock or secret code. They make it seem like it's practically impossible to recover the messages without doing real crypto stuff on the locked chats' messages.

0xcoffee1y ago

Personally I use it to hide chats from my girlfriend who has access to my phone.

jonathanlydall1y ago

I totally get that hiding things from partners is a not uncommon thing.

Speaking as someone who has lived with my wife for over 10 years and where we can each access each other’s phones (for reasons of administrative convenience), neither of us have ever “snooped” on each other.

So when I hear of people taking advantage of features to hide chats from their partner it makes me wonder about the psychological health of either the relationship, one, or both of the partners.

There are absolutely psychologically unhealthy controlling partners who “snoop” on their partners unreasonably dictating what is and isn’t allowed. And at the same time there are also unfaithful partners who are having the kind of conversations with other people that they really shouldn’t when they’re in a committed relationship.

Only other reason I can think to hide chats are risqué group chats with friends posting arguably inappropriate content, but again, if your partner is snooping on this and then getting controlling, that’s not really healthy.

Finally, I will admit I sometimes use incognito mode on my web browser at times (but never for conversations), so perhaps I’m a bit of a hypocrite.

2 more replies

yownie1y ago

sounds like a super healthy relationship.

rini171y ago

Is there also a bypass for the silly insufficient disk space error in whatsapp web, other than reloading the page?

loncat4215OP1y ago

I've never experienced that, it does sound like a silly problem

rini171y ago

It's this, not limited to opera. And various recommended settings did not help. It was previously possible to just delete the dialog box from DOM and continue, no more.

https://superuser.com/questions/1856709/whatsapp-web-your-co...

IG_Semmelweiss1y ago

hugged to death : 503 Service Unavailable

I turned off VPN.No dice.

loncat4215OP1y ago

I'm sorry. It's online now.

aperezalbela1y ago

"Trying something?"

loncat4215OP1y ago

;)

j / k navigate · click thread line to collapse

33 comments

netsharc1y ago

And then they changed their app to use Unity and WASM, and it's all Assembly-esque in the developer tool.

jwrallie1y ago

It’s always good to take a look, many things are decided on the client side, and developer tools are part of the browsers anyway.

The other day I wanted to make reservations for a service to send my luggage from the airport to my house in Japan, and the form was giving me errors.

Searching for the error string around I realized there was a timeout set on the client side, so I increased it and could slowly but smoothly fill in all the information that required a server check.

I guess they never bothered to debug their system when accessing it from the other side of the world. All it needed was a few extra milliseconds for the requests to arrive in time.

kotaKat1y ago

Meanwhile, if you put your ZIP in you just get a little friendly "We're working on it! :)".

I love data firehoses like that.

lewisleclerc1y ago

emptiestplace1y ago

Leave some matches for the rest of us, Lewis. :<

jillyboel1y ago

Yep, this is why I'm not a fan of WASM. It's going to make debugging/reversing webapps much, much harder while that has always been one of the charms of the web.

weikju1y ago

Also makes learning from other sites much harder, which I think is another fundamental appeal of the web.

dizhn1y ago

Almost the same thing happens on one of the famous online guitar tab playing things and there's a little userscript that "fixes" it.

pipe011y ago

https://f1-dash.com/

RandomDistort1y ago

A lot of WhatsApp's features are enforced client-side, which means on Web they just break with DevTools.

loncat4215OP1y ago

> I wonder if stuff like this would be eligible, I don't see why it wouldn't. I just reported it, let's see if it's eligible

RandomDistort1y ago

Ok, can you let me know if they say it's valid, as if it is considered valid I'll try again with investigating and reporting some issues I found.

beders1y ago

It is a good reminder for front-end devs that security-through-obscurity is not sufficient. It never has.

Reminds me of a security company that claimed they could force a watermark onto any content in their web-front-end. Turns out it was a canvas overlay you could just simple delete from the HTML. LOL.

Neywiny1y ago

I used a tool in school that outputted svgs with watermarks. So I proved that if I ever wanted to, though I never needed to, I could just delete that element. Trivial.

klysm1y ago

This is such a problem in security - executives don’t know that and will buy all sorts of security theatre bullshit

unixfox1y ago

https://web.archive.org/web/20241206210921/https://lcat.dev/...

thimabi1y ago

I think my expectations for a feature called “locked chats” are somewhat different from those of WhatsApp.

What is the value of locking something if the lock can be easily bypassed? Just preventing the least sophisticated attacks?

In this case, I think WhatsApp should have done better — or refrained from adding this feature at all.

GrantMoyer1y ago

> What is the value of locking something if the lock can be easily bypassed? Just preventing the least sophisticated attacks?

Amusingly, these two questions apply just as well to almost all physical locks in the material world. I suppose that makes WhatsApp's "lock" analogy apt.

drdaeman1y ago

___

*) I mean, it can be unlocked by literally opening JS console and typing one command. That's a gate latch at best.

loncat4215OP1y ago

> In this case, I think WhatsApp should have done better — or refrained from adding this feature at all.

0xcoffee1y ago

Personally I use it to hide chats from my girlfriend who has access to my phone.

jonathanlydall1y ago

I totally get that hiding things from partners is a not uncommon thing.

So when I hear of people taking advantage of features to hide chats from their partner it makes me wonder about the psychological health of either the relationship, one, or both of the partners.

Finally, I will admit I sometimes use incognito mode on my web browser at times (but never for conversations), so perhaps I’m a bit of a hypocrite.

2 more replies

yownie1y ago

sounds like a super healthy relationship.

rini171y ago

Is there also a bypass for the silly insufficient disk space error in whatsapp web, other than reloading the page?

loncat4215OP1y ago

I've never experienced that, it does sound like a silly problem

rini171y ago

It's this, not limited to opera. And various recommended settings did not help. It was previously possible to just delete the dialog box from DOM and continue, no more.

https://superuser.com/questions/1856709/whatsapp-web-your-co...

IG_Semmelweiss1y ago

hugged to death : 503 Service Unavailable

I turned off VPN.No dice.

loncat4215OP1y ago

I'm sorry. It's online now.

aperezalbela1y ago

"Trying something?"

loncat4215OP1y ago

;)

j / k navigate · click thread line to collapse