Another reminder that if you want perfect security or privacy online you shouldnt expect every single bell and whistle of tech-enabled convenience to be handily on tap.
End-to-end encrypted messaging app WhatsApp has been shown leaking metadata as users type URLs within chats, in a way that could at least in theory offer a route for a sophisticated adversary to obtain a users IP address.
The behavior is almost certainly a result of a convenience feature the messaging app offers its mainstream user base by serving up a preview of URLs within chats as they type. To be clear, no actual message data is leaking here. Chats are still e2e encrypted. WhatsApp is still a secure messaging option for mainstream users.
But in some instances the app could also leak the user agent and Android version as well as the IP address metadata, via this route. This is according to third party developer,@mulander, who identified and flagged the issuevia Twitter. Hes also posted a short summary of findings on Hacker News.
Mulander says he came across the behavior because he self-hosts his email and blog, and noticed WhatsApps GET requests coming in, character by character, while he was looking at his web serving software logs.
The information the application is currently leaking is: the IP address, Android version and WhatsApp version of the phone the person entering the URL uses, the exact URL being typed in and the exact time each keystroke happens, Mulander told us.
Its not possible for [WhatsApp] to obtain the preview and not leak the IP address of the requester (and its good that they dont do the request on behalf of the user as that would mean they get to know the content of the message which is not the case).
But he suggests WhatsApp could stutter these GET requests to obscure (if slightly) the moment when a user is typing a URL. Rather than fetch it character by character in real-time, which does leak typing cadence and, potentially, other unintended information say, a second URL or some words mistakenly entered after the first URL without being separated by a space.
He also argues WhatsApp could disable website previews by default though a mainstream app cannot realistically function by shielding convenience-focused features from its users, given that, as a general rule, those users are unlikely to be able to ferret out such functions on their own; ergo, they need (and expect) convenience served up for them.
And it is, after all, WhatsApps convenience that has helped make e2e encryption messaging accessible for so many mainstream app users. Which is a good thing. However the Facebook-owned messaging app does not currently offer any way to disable the website previews function within WhatsApp and that does seem a shame.
If it did offer an option, users with specific concerns or a very high threat level could at least choose to close off the risk of metadata leakage via a typed URL route.
In the absence of such an option, I guess a manual workaround is not to type URLs into your WhatsApp chats. Or to use an alternative (e2e) messaging app that doesnt serve website previews when you want to send URLs to contacts.
For instance, the Signal messaging app, whose end-to-end encrypted protocol WhatsApp also uses, does not leak metadata because it does not fetch URL previews.
This too is expected behavior for that other messaging app given Signals fuller focus on security over mainstream convenience. (And Signals user base is also nowhere near the size of WhatsApps.)
Point is: Security choices are like horses for courses.
Please note that I dont consider this a high security flaw, emphasizes Mulander of WhatsApps GET requests. Yes they are leaking information but encryption is NOT broken in their software.
The information leak is a side channel that a very sophisticated adversary could use to connect metadata and gain additional information on the conversation but the clear text message is not transmitted over the Internet.
We reached out to WhatsApp for comment on the issue but at the time of writing the company had not responded.
Weighing in via Twitter, software engineer Alec Muffett, who implemented the e2e crypto for Facebooks private chats feature when he worked at WhatsApps parent company, is largely dismissive
Though others in the infosec space agree a no preview option would at least be a nice-to-have in WhatsApp
tl;dr, alittle more privacy-minded obfuscation and user choice would, arguably, be nice from WhatsApp and, if implemented well, should not risk overcomplicating its usability.
But the primary issue being flagged up is the perennial tug-of-war between security and convenience.Bottom line: People need to select the appropriate security tool for their threat level.
While those with specific concerns over digital privacy (say, focused on IP addresses being used for tracking/ad targeting) may need to be prepared to give up more tech-enabled convenience than others.
The other issue being underlined here is the need for complex technologies to be better articulated by the industry as a whole to help users understand their relative risk. And to avoid intended trade-offs/design decisions being misconstrued as something more sinister. Or security to be conflated with privacy.