![]() ![]() If it did offer an option, users with specific concerns - or a very high threat level - could at least choose to close off the risk of metadata leakage via a typed URL route. However the Facebook-owned messaging app does not currently offer any way to disable the website previews function within WhatsApp - and that does seem a shame. He also argues WhatsApp could disable website previews by default - though a mainstream app cannot realistically function by shielding convenience-focused features from its users, given that, as a general rule, those users are unlikely to be able to ferret out such functions on their own ergo, they need (and expect) convenience served up for them.Īnd it is, after all, WhatsApp’s convenience that has helped make e2e encryption messaging accessible for so many mainstream app users. Rather than fetch it character by character in real-time, which does leak typing cadence and, potentially, other unintended information - say, a second URL or some words mistakenly entered after the first URL without being separated by a space. “It’s not possible for to obtain the preview and not leak the IP address of the requester (and it’s good that they don’t do the request on behalf of the user as that would mean they get to know the content of the message which is not the case).”īut he suggests WhatsApp could stutter these GET requests to obscure (if slightly) the moment when a user is typing a URL. “The information the application is currently leaking is: the IP address, Android version and WhatsApp version of the phone the person entering the URL uses, the exact URL being typed in and the exact time each keystroke happens,” Mulander told us. Others joining the discussion on Twitter said they were able to replicate the behavior. Very creepy someone was apparently typing in an URL and WhatsApp was fetching it off my server char-by-char /sFTxhfpISv ![]() Mulander says he came across the behavior because he self-hosts his email and blog, and noticed WhatsApp’s GET requests coming in, character by character, while he was looking at his web serving software logs. He’s also posted a short summary of findings on Hacker News. This is according to third party mulander, who identified and flagged the issue via Twitter. WhatsApp is still a secure messaging option for mainstream users.īut in some instances the app could also leak the user agent and Android version as well as the IP address metadata, via this route. To be clear, no actual message data is leaking here. The behavior is almost certainly a result of a convenience feature the messaging app offers its mainstream user base by serving up a preview of URLs within chats as they type. Another reminder that if you want perfect security or privacy online you shouldn’t expect every single bell and whistle of tech-enabled convenience to be handily on tap.Įnd-to-end encrypted messaging app WhatsApp has been shown leaking metadata as users type URLs within chats, in a way that could - at least in theory - offer a route for a sophisticated adversary to obtain a user’s IP address. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |