In an urban and highly connected city like Hong Kong, keeping in touch isn’t one’s luxury but a necessity. For many people, students and business travelers, public computers in libraries, internet cafés or business centres are a convenient place to get some quick things done. One of the most common activities is to log into messaging services to see what conversations have been started, or send files. WhatsApp Web looks like a perfect link between your phone and a web browser on a computer, but using it on a public terminal presents a host of security and privacy issues each user should be aware of.
Understanding How WhatsApp Web Works
The best way to understand the risks is to get a feel for what’s going on. WhatsApp Web is not a standalone program, you use it as a mirror of your smartphone’s WhatsApp account. Once you swipe through the QR code on a public computer monitor with your phone, you link a browser (whatever browser it was built around) to your device in real time; the session lasts until you manually log out or otherwise close down the browser. Importantly, you don’t store your messages on the computers; they’re saved from your phone. But this lack of hardware isn’t going to automatically wipe you of all sorts of threats, especially on a computer you don’t own.
The Peril of Session Persistence: Forgetting to Log Out
The easiest and most common way to lose your privacy is by not signing out properly. And a quick fix is that some users close the browser window, but inevitably do not click the “Log out” link in WhatsApp Web. Which means that your session remains active. The next user to use the public computer can simply open the browser and if it is successful, this will restore your previous session. All of your personal and group messages, all your media (media shared with your friends and colleagues) and even little stuff like your password will be accessible to them.
The Threat of Keyloggers and Spyware
Generally public computers are the most dangerous for malware to infect. Many hackers have developed software for collecting all keystrokes on the keyboards of these public computers. Because in the normal version of WhatsApp Web there is no password (you just type in a QR code to log in), a keylogger could still be lurking on these computers, spying on whatever you type. More sophisticated spyware can take snapshots, and possibly remotely access the browser session, so it knows what’s running on the machine: banking information, pictures, documents secret to your employer.
Compromised Browsers and Network Eavesdropping
This is because if you are on a public computer that browser will probably be old or have malware installed on it that hijacks your session. In addition, public Wi-Fi networks are usually unprotected or poorly secured spots for hackers. Through the use of a technique called “man-in-the-middle” (MitM), a hacker on that same network can potentially intercept the data going between the public computer and the WhatsApp servers. The purpose of end-to-end encryption, in the context of this article, is for encryption between your phone and your contact’s phone. If the computer itself is compromised, then the decrypted messages are presented on the screen, which could be captured before the encryption is applied for the send.
Physical Shoulder Surfing in a Crowded City
Hong Kong is renowned for its crowded population and open spaces. There’s a real possibility of “shoulder surfing” (someone quite literally reading over your shoulder to see what you actually have on-screen). At a busy internet café or library, where people are packed in, it is very easy for an attacker to look to see if you the QR code, or look over your shoulder while you type, and read secrets in your conversations. This low tech threat is generally ignored, yet can be just as effective as hacking for collecting personal data.
Best Practices for Safer Usage
Because of these risks, there are times when you need to use a public computer. When you have to use WhatsApp Web on a public computer in Hong Kong, we recommend you follow these rules carefully:
- Log Out Every time: Don’t just close the browser window. Click on the three dots menu at the top of your WhatsApp Web session and choose “Log out” every time.
- Privacy / Incognito: Open an incognito window when you log into the web site and then after you close the window everything you have browsed with, including your session, will be deleted.
- Check for Active Sessions: You should always take a close look at the active sessions in the WhatsApp mobile app (Settings -> Linked Devices) and if you see a device you don’t recognize, log it out immediately.
When typing sensitive data: Never discuss / send highly sensitive information ( passwords / credit card information )
Conclusion
The best part of WhatsApp Web is that it’s an absolutely invaluable service that is designed for simplicity, but if it gets compromised, that simplicity is gone forever. In the digital jungle that is Hong Kong, where there are constant hackers and malware operating 24/7, to use the service on a public computer is completely counter-productive. The threat of identity theft, financial loss and even theft of privacy is well beyond the perceived gain from checking a message a few minutes earlier. The best strategy you can take is to treat public computers as inherently less trustworthy. Use WhatsApp Web on only your personal (password protected) and safe devices.