
“Someone was typing in a URL and WhatsApp was fetching it off my server” - sr2
https://twitter.com/mulander/status/874370124932943874
======
mulander
Hi HN, op here.

I posted this not because I was angry on having a GET request sent to my
server on a char by char basis. My main concerns were privacy related, since I
posted this some additional things came to light:

1) This leaks the IP address of the person writing the msg

2) When property="og:image" is used it also leaks the User Agent and Android
version [1]

3) When presented with invalid headers as a reply it can cause a crash on IOS,
which mean this is a potential RCE vector [2]

4) It leaks the exact time an URL is typed into a chat

5) It's on by default, this is the default behavior in E2E encrypted
conversations [3]

I don't use WhatsApp, I found this out by accident as I just have a habit to
tail my logs. I know though that Signal doesn't do any of this pre-fetching. I
am aware this is a 'feature' but there's no place for it when security is
involved.

[1]
[https://twitter.com/0xjomo/status/874585822158352384](https://twitter.com/0xjomo/status/874585822158352384)
[2]
[https://twitter.com/dr4ys3n/status/874725257722179584](https://twitter.com/dr4ys3n/status/874725257722179584)
[3]
[https://mastodon.social/@rysiek/9146943](https://mastodon.social/@rysiek/9146943)

~~~
evgen
These are all expected behaviors and are the correct decisions if the user
expectation is that URLs generate preview cards.

If the connection was not made from the client (aka 'leaks the IP address')
then it would need to be proxied (aka central point for 5eyes to monitor to
get all WA client urls) or the servers would need to know the contents of the
messages (aka break e2e and we are still back to a central monitoring point.)

Of course it will send user agent info, so that it can provide a better
preview card if the site supports taking advantage of this info. If it only
provides this when you explicitly try to send the info then it is doing what
the user told it to do.

The header bug is interesting and if it is actually a WA problem you should
report it.

Of course it leaks the exact time a URL is typed into chat. I can't even
imagine what you are trying to say here since this is a point that is without
a point. We have already established what it is trying to do and in that
context this point makes no sense.

It is on by default and is the default behavior because this is what users
expect. The secure features of WA are a bonus, but are not the raison d'etre
here and when it comes down to it WA is a messaging app and it prioritizes
usability when the feature is not an egregious security problem. In this case
it is not a major security problem so usability and expectations win.

------
thebiglebrewski
Did you all know that chrome does this too? May sound obvious but I always had
assumed that nothing is sent until you press enter for some reason (yeah I
know, search prediction would be impossible without that). But one day I was
type in a path on a test URL and noticing my server getting hit on - every
single letter.

~~~
cuckcuckspruce
Yes, Chrome does it as well, but I expect that as it's a web browser. I know
the tradeoffs when browsing the web and expect that my requests will be
visible across the Internet. That's just how web browsing works.

However, WhatsApp is selling a solution that is meant to provide privacy. When
I write a URL in an SMS, my phone does not try to preemptively retrieve it to
display a preview. WhatsApp may be encrypting the message, but it's
identifying me to a server while I'm composing it, which is enough to
completely destroy any level of privacy or anonymity that I would expect.

~~~
justboxing
> WhatsApp is selling a solution that is meant to provide privacy.

Yep you are right. They even tout this in their Security Page.

[https://www.whatsapp.com/security/](https://www.whatsapp.com/security/)

> WhatsApp's end-to-end encryption ensures only you and the person you're
> communicating with can read what is sent, and nobody in between, not even
> WhatsApp. This is because your messages are secured with a lock, and only
> the recipient and you have the special key needed to unlock and read them.

~~~
cuckcuckspruce
I suppose that I'm not surprised. You can't audit WhatsApp's source code, and
even if you could, you can't guarantee what you're putting on your device
matches the source code. Yet another closed source, inherently untrustable
system.

~~~
DougN7
Even with open source you don't know what you're putting on your device
matches the source code (unless you're part of the 0.00001% that would compile
their own mobile apps).

------
code_duck
In order to produce the link preview, probably. As far as why it's character
by character, I don't know, but that doesn't seem very sinister to me.
Checking URLs letter by letter is sloppy, especially if you're not even trying
to do auto completion, but it doesn't reveal any more information than a
complete url could. Anyway, I would think they are expecting people to paste
URLs in, not type them.

I've written code to fetch sites and give a preview, for a bookmarking
bookmarklet. This involves analyzing the html for title and to select best
image to represent the page. That of course necessitates retrieving the page,
either through the client or server.

~~~
revicon
It's not sinister so much as that Whatsapp is sending the requests directly
from the user's phone (not through a proxy, etc) which is exposing the end
user's IP address and full user agent string to the website hosting the page.
This information could be used to identify the end user which goes against
Whatsapp's whole "Privacy and Security is in our DNA" thing.
([https://www.whatsapp.com/security/](https://www.whatsapp.com/security/))

See this tweet for the info exposed:
[https://twitter.com/0xjomo/status/874585822158352384](https://twitter.com/0xjomo/status/874585822158352384)

~~~
Jare
Knowing that WhatsApp produces link preview cards, I frankly don't see
anything here that I didn't already expect and assume was happening - these
cards come from somewhere that is neither me nor my conversation partner. This
can't be a surprise to anyone who was concerned about privacy.

If WA proxied the request, it would be WA snooping on the conversation, and
that would be a way larger problem because they would accumulate that metadata
for EVERYONE.

If you don't want cards or external requests in the conversation, you
obfuscate the url with any of the myriad methods people use to get past anti-
url filters in forums etc.

------
emilfihlman
E: Disregard. Whatsapp is doing exactly what they should be doing. Telegram
seems to proxy the requests.

Why is no one saying anything about end to end crypto?

Whatsapp shouldn't be able to see my messages, isn't that what they say
themselves?

~~~
jwilk
The 4th comment is:

 _doing a GET request over the internet is already violating e2e_

~~~
jszymborski
not if it's over TLS/SSL...

~~~
jjnoakes
When both e's in e2e are the parties of the conversation, and the TLS
connection is too a third party, then yes it is a violation of their claim.

~~~
jszymborski
I'm going to have to disagree with that. The TLS connection is not part of the
conversation... it has no ability to intercept messages, encrypted or
otherwise.

It's merely just another e2e communication between the client and another
party, albeit through another protocol.

~~~
jjnoakes
But it reveals part of what was typed in the e2e chat to the third party...
tls or not is irrelevant to that point.

~~~
jszymborski
True, I overlooked that. Thanks for taking the time to point that out :)

------
twiss
This makes me think of another potential privacy risk: if you paste a URL in
WhatsApp, or click Android's share button and select WhatsApp, it doesn't add
a space after the url. Most users are probably aware that they have to add a
space, but if they forget, WhatsApp will probably send the first word of the
rest of the message to the server. (Similarly if you paste a URL at the start
of an already-written message, but maybe that's even more contrived.)

------
Hoshea
Apparently several other messaging apps behave similarly, from the replies in
that tweet there were mentions of Facebook Messenger[0] and Telegram[1].

[0][https://pbs.twimg.com/media/DCRsz7mXUAAEbKK.jpg](https://pbs.twimg.com/media/DCRsz7mXUAAEbKK.jpg)
[1][https://pbs.twimg.com/media/DCSyWs0XcAAQb2N.jpg](https://pbs.twimg.com/media/DCSyWs0XcAAQb2N.jpg)

------
philippz
On the one hand it provides a greater user-experience if Whatsapp can figure
out the URL and preview information about the posted URL (like any social
network does today, even we do it at STOMT when you attach an URL to your
feedback).

On the other hand i do not get why they send it after every character. Makes
it even faster but creates a bunch of unnecessary requests. Not very user
friendly. They could do it after they recognize a finished URL (as soon as
there is a space). And as pointed out in the tweets it COULD harms the users
privacy.

~~~
benologist
They're probably trying to prefetch the URLs so they're loaded by the time you
want it, just not a nice way of doing it.

~~~
philippz
Yeah right.

------
sliken
Skype scans messages for URLs and downloads them. Microsoft claims is that
they are checking for malware, still creepy.

~~~
therealidiot
Does anyone remember that time that they blocked any messages containing
YouTube URLs in MSN Messenger?

------
hakcermani
One aspect is the lack of debounce, but also revealing the endusers ip and
user agent. They could proxy external link requests via whatsapp servers
without breaking end to end encryption. wonder what iMessage does ?!

~~~
mobilethrow
> They could proxy external link requests via whatsapp servers without
> breaking end to end encryption.

What good is E2E if you are going to send the plaintext home anyway? Doing
these requests on the device is stupid, but proxying them through FB servers
would border on malicious.

------
adad95
I believe this Behavior is for information gathering about odata.

------
jolux
What does Signal do for link previews? Nothing at all?

------
kawera
Prefetching a webpage to generate it's preview should at least be optional,
controlled through user settings.

------
ythn
Seems like they need debounce? Most JS utility libraries (lodash, etc) have a
debounce function...

~~~
mort96
And even if you don't use those, denounce takes about 4 lines to write.

------
luisrudge
probably whatsapp web version? it adds some kind of description if you send an
url: [https://i.imgur.com/Rkl2cZJ.png](https://i.imgur.com/Rkl2cZJ.png)

------
awqrre
Did that change happen before of after the acquisition by Facebook?

------
out_of_protocol
Plain creepy. Also, does it produce a lot of traffic?

~~~
Analemma_
This is a stupid and crappy implementation of a helpful feature, but how is it
creepy?

