Semi-related: On the old F1 website, they'd post the lap and sector times of drivers during an F1 session (practice, qualifying, race). First it was a Java app which had all the data, and then they got fancy and wrote it in JavaScript, and enshittified it: if you don't subscribe to their premium... website offering?.. you just get colored sectors whenever the driver's finished that sector (yellow as they've passed it, green if it's the fastest time they've driven through this sector, purple if it's the fastest of anyone, in the current session). I was wondering if they still had the sector times and just hid it on the frontend, and it was the case. There was an if-block that was called during initialization that checked if user was premium. Adding a breakpoint and adding a condition to set premium = true got me the sector times!<p>And then they changed their app to use Unity and WASM, and it's all Assembly-esque in the developer tool.
A lot of WhatsApp's features are enforced client-side, which means on Web they just break with DevTools.<p>I've done some research into this (haven't published it) but also can't get Facebook's bug bounty report tool to work (whenever I create a facebook account it gets autobanned) so I haven't been able to report them either. I wonder if stuff like this would be eligible, I don't see why it wouldn't.
It is a good reminder for front-end devs that security-through-obscurity is not sufficient. It never has.<p>Reminds me of a security company that claimed they could force a watermark onto any content in their web-front-end.
Turns out it was a canvas overlay you could just simple delete from the HTML. LOL.
I think my expectations for a feature called “locked chats” are somewhat different from those of WhatsApp.<p>What is the value of locking something if the lock can be easily bypassed? Just preventing the least sophisticated attacks?<p>In this case, I think WhatsApp should have done better — or refrained from adding this feature at all.