[HN Gopher] How to Bypass WhatsApp Web's Locked Chat Feature
___________________________________________________________________
How to Bypass WhatsApp Web's Locked Chat Feature
Author : loncat4215
Score : 61 points
Date : 2024-12-06 19:06 UTC (1 days ago)
(HTM) web link (lcat.dev)
(TXT) w3m dump (lcat.dev)
| thimabi wrote:
| I think my expectations for a feature called "locked chats" are
| somewhat different from those of WhatsApp.
|
| What is the value of locking something if the lock can be easily
| bypassed? Just preventing the least sophisticated attacks?
|
| In this case, I think WhatsApp should have done better -- or
| refrained from adding this feature at all.
| GrantMoyer wrote:
| > What is the value of locking something if the lock can be
| easily bypassed? Just preventing the least sophisticated
| attacks?
|
| Amusingly, these two questions apply just as well to almost all
| physical locks in the material world. I suppose that makes
| WhatsApp's "lock" analogy apt.
| drdaeman wrote:
| However, we should consider that this is about online privacy
| features, which is a fairly hot topic nowadays. And it kind
| of feels that we got drape curtains* instead of a lock - and
| I think it's not exactly what people would reasonably expect
| for a feature like this? Or do they clarify that it's a weak
| protection somewhere?
|
| ___
|
| *) I mean, it can be unlocked by literally opening JS console
| and typing one command. That's a gate latch at best.
| 0xcoffee wrote:
| Personally I use it to hide chats from my girlfriend who has
| access to my phone.
| jonathanlydall wrote:
| I totally get that hiding things from partners is a not
| uncommon thing.
|
| Speaking as someone who has lived with my wife for over 10
| years and where we can each access each other's phones (for
| reasons of administrative convenience), neither of us have
| ever "snooped" on each other.
|
| So when I hear of people taking advantage of features to hide
| chats from their partner it makes me wonder about the
| psychological health of either the relationship, one, or both
| of the partners.
|
| There are absolutely psychologically unhealthy controlling
| partners who "snoop" on their partners unreasonably dictating
| what is and isn't allowed. And at the same time there are
| also unfaithful partners who are having the kind of
| conversations with other people that they really shouldn't
| when they're in a committed relationship.
|
| Only other reason I can think to hide chats are risque group
| chats with friends posting arguably inappropriate content,
| but again, if your partner is snooping on this and then
| getting controlling, that's not really healthy.
|
| Finally, I will admit I sometimes use incognito mode on my
| web browser at times (but never for conversations), so
| perhaps I'm a bit of a hypocrite.
| lewisleclerc wrote:
| I'm curious, for what reasons do you use incognito?
| jonathanlydall wrote:
| Aside from technical troubleshooting reasons, never for
| "social" interactions. For all other times, all I will
| say is that your guess is probably correct.
| j6zauas4gz wrote:
| > So when I hear of people taking advantage of features to
| hide chats from their partner it makes me wonder about the
| psychological health of either the relationship, one, or
| both of the partners.
|
| I am the exact opposite and would wonder about the
| psychological health of either the relationship or both of
| the partners if they have so intertwined themselves that
| they no longer feel the need to keep any aspect of their
| identities private from each other.
|
| > Only other reason I can think to hide chats
|
| The number of reasons are as numerous as there are
| relationships. I literally just finished sending my mother
| a message about a joint gift to my father in a group chat
| that I would not want my father to see, since it would
| spoil his Christmas present. I have several chat groups
| that contain information that I am _legally not allowed_ to
| let my partner, or anyone else for that matter, see. And
| thats not even getting into all the different levels of
| confidentially that friends talking amongst friends
| reasonably might expect when sharing stories of their
| personal lives with each other.
| loncat4215 wrote:
| > In this case, I think WhatsApp should have done better -- or
| refrained from adding this feature at all.
|
| At least they should encrypt the messages instead of making it
| seems like it's encrypted. AFAIK, in the mobile WhatsApp,
| locked chats will get wiped without screen lock or secret code.
| They make it seem like it's practically impossible to recover
| the messages without doing real crypto stuff on the locked
| chats' messages.
| aperezalbela wrote:
| "Trying something?"
| loncat4215 wrote:
| ;)
| netsharc wrote:
| Semi-related: On the old F1 website, they'd post the lap and
| sector times of drivers during an F1 session (practice,
| qualifying, race). First it was a Java app which had all the
| data, and then they got fancy and wrote it in JavaScript, and
| enshittified it: if you don't subscribe to their premium...
| website offering?.. you just get colored sectors whenever the
| driver's finished that sector (yellow as they've passed it, green
| if it's the fastest time they've driven through this sector,
| purple if it's the fastest of anyone, in the current session). I
| was wondering if they still had the sector times and just hid it
| on the frontend, and it was the case. There was an if-block that
| was called during initialization that checked if user was
| premium. Adding a breakpoint and adding a condition to set
| premium = true got me the sector times!
|
| And then they changed their app to use Unity and WASM, and it's
| all Assembly-esque in the developer tool.
| jillyboel wrote:
| Yep, this is why I'm not a fan of WASM. It's going to make
| debugging/reversing webapps much, much harder while that has
| always been one of the charms of the web.
| weikju wrote:
| Also makes learning from other sites much harder, which I
| think is another fundamental appeal of the web.
| jwrallie wrote:
| It's always good to take a look, many things are decided on the
| client side, and developer tools are part of the browsers
| anyway.
|
| The other day I wanted to make reservations for a service to
| send my luggage from the airport to my house in Japan, and the
| form was giving me errors.
|
| Searching for the error string around I realized there was a
| timeout set on the client side, so I increased it and could
| slowly but smoothly fill in all the information that required a
| server check.
|
| I guess they never bothered to debug their system when
| accessing it from the other side of the world. All it needed
| was a few extra milliseconds for the requests to arrive in
| time.
| kotaKat wrote:
| A major ISP's "outage check" feature sends all the data back
| client-side for the actual outage ticket, including circuit
| IDs, dispatch status, and if the outage is valid for customer
| credit. I now just hit that API as needed to check when shit
| goes sideways.
|
| Meanwhile, if you put your ZIP in you just get a little
| friendly "We're working on it! :)".
|
| I love data firehoses like that.
| lewisleclerc wrote:
| One of the dating apps with a web interface had a separate API
| to increment message counts sent to users. Non-premium users
| could only like profiles or send a limited number of texts. I
| simply blocked that API and was able to use the app like a
| premium user
| emptiestplace wrote:
| Leave some _matches_ for the rest of us, Lewis. : <
| dizhn wrote:
| Almost the same thing happens on one of the famous online
| guitar tab playing things and there's a little userscript that
| "fixes" it.
| pipe01 wrote:
| https://f1-dash.com/
| beders wrote:
| It is a good reminder for front-end devs that security-through-
| obscurity is not sufficient. It never has.
|
| Reminds me of a security company that claimed they could force a
| watermark onto any content in their web-front-end. Turns out it
| was a canvas overlay you could just simple delete from the HTML.
| LOL.
| klysm wrote:
| This is such a problem in security - executives don't know that
| and will buy all sorts of security theatre bullshit
| Neywiny wrote:
| I used a tool in school that outputted svgs with watermarks. So
| I proved that if I ever wanted to, though I never needed to, I
| could just delete that element. Trivial.
| RandomDistort wrote:
| A lot of WhatsApp's features are enforced client-side, which
| means on Web they just break with DevTools.
|
| I've done some research into this (haven't published it) but also
| can't get Facebook's bug bounty report tool to work (whenever I
| create a facebook account it gets autobanned) so I haven't been
| able to report them either. I wonder if stuff like this would be
| eligible, I don't see why it wouldn't.
| rini17 wrote:
| Is there also a bypass for the silly insufficient disk space
| error in whatsapp web, other than reloading the page?
| IG_Semmelweiss wrote:
| hugged to death : 503 Service Unavailable
|
| I turned off VPN.No dice.
| unixfox wrote:
| https://web.archive.org/web/20241206210921/https://lcat.dev/...
___________________________________________________________________
(page generated 2024-12-07 23:02 UTC)