Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Using this package is a security failure from the beginning. It doesn’t use the public WhatsApp API, it reimplements the official WhatsApp client auth. Authentication uses a shared secret and it’s obvious that you as a third party obtaining this secret from your users is unsafe and a bad practice (especially if it’s third party code processing it!).

Users should know better as well but you can’t really blame them.



> It doesn’t use the public WhatsApp API, it reimplements the official WhatsApp client auth.

Nothing wrong with that if the official API has less features.

> Authentication uses a shared secret and it’s obvious that you as a third party obtaining this secret from your users

What do you mean? Usually, you install such a package to automate WhatsApp for your own account.


> public WhatsApp API

There is no public WhatsApp API. You need to sign up for "WhatsApp Business Platform" to be able to use an API to interact with WhatsApp.

If there was a real API for WhatsApp, this probably wouldn't have happened.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: