Using WhatsApp Web on a Secondary Phone to Avoid Zero-Click Exploits

DeletedUser252

I know Signal exists and is my preferred option for secure messaging, but I'm exploring ways to safely continue using WhatsApp for contacts who aren't ready to migrate.
Here's the setup I'm considering:

Phone A: A clean, isolated device used only to install WhatsApp and register a number. No personal data or activity. After setup, it's powered off and stored offline.
Phone B (daily driver): I open web.whatsapp.com in a hardened browser and link it via QR code to Phone A’s session. WhatsApp is never installed on this phone.

After linking:

I move the SIM from Phone A to Phone B (to keep using my number for SMS/calls).
WhatsApp Web continues to work on Phone B via Multi-Device mode.
If re-verification is needed, I can briefly reinsert the SIM into Phone A.

Question:
Could Phone B still be at risk from spyware or surveillance via WhatsApp Web? Specifically:

Access to location, mic, camera, or sensors?
Browser-based vulnerabilities that might compromise privacy?

I'm trying to minimize the attack surface while still maintaining WhatsApp access for practical reasons. Would appreciate thoughts or any refinement suggestions.

23Sha-ger

If we look at previous exploits, they were based on memory corruption vulnerabilities in underline format rendering libraries, like Webkit. So you are better off with the regular client which has hardened_malloc, and MTE enabled in the exploit protection menu. Web browsers have more issues since they can be forced to render links, content, attachments. On a desktop, WhatsApp Web in a sandboxed Chromium is probably safer, on GOS however, it's mostly the other way around. You can turn off all link previews in the mobile app, on a web session however, since it's an actual browser, there might be ways to potentially overcome this.

dasaint100

23Sha-ger

Would there be more exploits created for the WhatsApp app compared to WhatsApp Web on a browser such as Brave or Vanadium? Or likely not app specific.

Open_Source_Enjoyer

23Sha-ger Web browsers have more issues since they can be forced to render links, content, attachments

I was used to think that web sites an do a lot less then installed apps to the device.
Additional: If a website is escaping website sandbox integrated in the browser, is also has to escape the app sandbox that sandbox the browser itself.

locked

If you have at least a P8, you can enable MTE (memory tagging extention). You can also disable webview JIT in Exploit protection. You can also disable dynamic code loading via memory. I am also experimenting disabling sensors for whatsapp. It seems to be working with the occasional crashing to to MTE.

dasaint100

locked looked into Element as a Whatsapp client and it seems to have a log in required just like any linked device every two weeks.

23Sha-ger

Open_Source_Enjoyer
I'm not talking in terms of exploiting the browser sandbox and escaping it's sandbox, but rather more common things a browser is actually supposed to do. For example it can load remote fonts, check for revoked certificates, render attachments, and can generally be more chatty if enhancing privacy is what you are after. Also in terms of notifications, it won't integrate as seamlessly as a dedicated app. Probably battery life will be worse as well but that's the least of a concern.

Open_Source_Enjoyer

23Sha-ger check for revoked certificates

Is this a bad thing for privacy and security?

23Sha-ger render attachments

Can't apps also load and display any file they want to?

23Sha-ger can generally be more chatty if enhancing privacy is what you are after

Source? To my knowledge, especially with browsers like Brave or Firefox with some addons, websites can do a lot less then apps.

23Sha-ger

Open_Source_Enjoyer Is this a bad thing for privacy and security?

Potentially it's bad because you can self sign a certificate, and if a browser checks the CRL/OCSP at the attackers specified URL, it will expose the IP of the user.

Open_Source_Enjoyer Can't apps also load and display any file they want to?

No, apps rely on system libraries and frameworks for that. A browser, like Firefox, can use it's own library.
There is a limited list of filetypes and formats Whatsapp will render itself, it will likely invoke another app for that.

Open_Source_Enjoyer especially with browsers like Brave or Firefox with some addons, websites can do a lot less then apps.

We are not talking about what websites can do, we are talking about browser capabilities as an attack surface for leaks. If you disable link previews in the WhatsApp client, it will stay disabled. On a web version, there are more ways to make it fetch remote content.