Should WhatsApp let you disable URL previews, TechCrunch
Should WhatsApp let you disable URL previews?
Another reminder that if you want ideal security or privacy online you shouldn’t expect every single bell and whistle of tech-enabled convenience to be handily on tap.
End-to-end encrypted messaging app WhatsApp has been shown leaking metadata as users type URLs within talks, in a way that could — at least in theory — suggest a route for a sophisticated adversary to obtain a user’s IP address.
The behavior is almost certainly a result of a convenience feature the messaging app offers its mainstream user base by serving up a preview of URLs within talks as they type. To be clear, no actual message data is leaking here. Talks are still e2e encrypted. WhatsApp is still a secure messaging option for mainstream users.
But in some instances the app could also leak the user agent and Android version as well as the IP address metadata, via this route. This is according to third party developer, @mulander, who identified and flagged the issue via Twitter. He’s also posted a brief summary of findings on Hacker News.
Mulander says he came across the behavior because he self-hosts his email and blog, and noticed WhatsApp’s GET requests coming in, character by character, while he was looking at his web serving software logs.
Very creepy @WhatsApp, someone was evidently typing in an URL and WhatsApp was fetching it off my server char-by-char pic.twitter.com/sFTxhfpISv
Others joining the discussion on Twitter said they were able to replicate the behavior.
“The information the application is presently leaking is: the IP address, Android version and WhatsApp version of the phone the person injecting the URL uses, the exact URL being typed in and the exact time each keystroke happens,” Mulander told us.
“It’s not possible for [WhatsApp] to obtain the preview and not leak the IP address of the requester (and it’s good that they don’t do the request on behalf of the user as that would mean they get to know the content of the message which is not the case).”
But he suggests WhatsApp could stutter these GET requests to obscure (if slightly) the moment when a user is typing a URL. Rather than fetch it character by character in real-time, which does leak typing cadence and, potentially, other unintended information — say, a 2nd URL or some words mistakenly entered after the very first URL without being separated by a space.
He also argues WhatsApp could disable website previews by default — tho’ a mainstream app cannot realistically function by shielding convenience-focused features from its users, given that, as a general rule, those users are unlikely to be able to ferret out such functions on their own; ergo, they need (and expect) convenience served up for them.
And it is, after all, WhatsApp’s convenience that has helped make e2e encryption messaging accessible for so many mainstream app users. Which is a good thing. However the Facebook-owned messaging app does not presently suggest any way to disable the website previews function within WhatsApp — and that does seem a shame.
If it did suggest an option, users with specific concerns — or a very high threat level — could at least choose to close off the risk of metadata leakage via a typed URL route.
In the absence of such an option, I guess a manual workaround is not to type URLs into your WhatsApp talks. Or to use an alternative (e2e) messaging app that doesn’t serve website previews when you want to send URLs to contacts.
For example, the Signal messaging app, whose end-to-end encrypted protocol WhatsApp also uses, does not leak metadata because it does not fetch URL previews.
For those that were asking – @whispersystems #signal doesn’t leak data by fetching previous. I checked (on Android). https://t.co/3D1O8ItMZ9
This too is expected behavior for that other messaging app given Signal’s fuller concentrate on security over mainstream convenience. (And Signal’s user base is also nowhere near the size of WhatsApp’s.)
Point is: Security choices are like horses for courses.
“Please note that I don’t consider this a high security flaw,” emphasizes Mulander of WhatsApp’s GET requests. “Yes they are leaking information but encryption is NOT cracked in their software.
“The information leak is a side channel that a very sophisticated adversary could use to connect metadata and build up extra information on the conversation but the clear text message is not transmitted over the Internet.”
We reached out to WhatsApp for comment on the issue but at the time of writing the company had not responded.
Weighing in via Twitter, software engineer Alec Muffett, who implemented the e2e crypto for Facebook’s private talks feature when he worked at WhatsApp’s parent company, is largely dismissive…
However others in the infosec space agree a ‘no preview’ option would at least be a nice-to-have in WhatsApp…
I’ll just say: having a "no previews" option would be nice… 🙂
tl;dr, a little more privacy-minded obfuscation and user choice would, arguably, be nice from WhatsApp — and, if implemented well, should not risk overcomplicating its usability.
But the primary issue being flagged up is the perennial tug-of-war inbetween security and convenience. Bottom line: People need to select the suitable security implement for their threat level.
While those with specific concerns over digital privacy (say, focused on IP addresses being used for tracking/ad targeting) may need to be ready to give up more tech-enabled convenience than others.
The other issue being underlined here is the need for complicated technologies to be better articulated by the industry as a entire — to help users understand their relative risk. And to avoid intended trade-offs/design decisions being misconstrued as something more sinister. Or security to be conflated with privacy.
Should WhatsApp let you disable URL previews, TechCrunch
Should WhatsApp let you disable URL previews?
Another reminder that if you want flawless security or privacy online you shouldn’t expect every single bell and whistle of tech-enabled convenience to be handily on tap.
End-to-end encrypted messaging app WhatsApp has been shown leaking metadata as users type URLs within talks, in a way that could — at least in theory — suggest a route for a sophisticated adversary to obtain a user’s IP address.
The behavior is almost certainly a result of a convenience feature the messaging app offers its mainstream user base by serving up a preview of URLs within talks as they type. To be clear, no actual message data is leaking here. Talks are still e2e encrypted. WhatsApp is still a secure messaging option for mainstream users.
But in some instances the app could also leak the user agent and Android version as well as the IP address metadata, via this route. This is according to third party developer, @mulander, who identified and flagged the issue via Twitter. He’s also posted a brief summary of findings on Hacker News.
Mulander says he came across the behavior because he self-hosts his email and blog, and noticed WhatsApp’s GET requests coming in, character by character, while he was looking at his web serving software logs.
Very creepy @WhatsApp, someone was evidently typing in an URL and WhatsApp was fetching it off my server char-by-char pic.twitter.com/sFTxhfpISv
Others joining the discussion on Twitter said they were able to replicate the behavior.
“The information the application is presently leaking is: the IP address, Android version and WhatsApp version of the phone the person injecting the URL uses, the exact URL being typed in and the exact time each keystroke happens,” Mulander told us.
“It’s not possible for [WhatsApp] to obtain the preview and not leak the IP address of the requester (and it’s good that they don’t do the request on behalf of the user as that would mean they get to know the content of the message which is not the case).”
But he suggests WhatsApp could stutter these GET requests to obscure (if slightly) the moment when a user is typing a URL. Rather than fetch it character by character in real-time, which does leak typing cadence and, potentially, other unintended information — say, a 2nd URL or some words mistakenly entered after the very first URL without being separated by a space.
He also argues WhatsApp could disable website previews by default — however a mainstream app cannot realistically function by shielding convenience-focused features from its users, given that, as a general rule, those users are unlikely to be able to ferret out such functions on their own; ergo, they need (and expect) convenience served up for them.
And it is, after all, WhatsApp’s convenience that has helped make e2e encryption messaging accessible for so many mainstream app users. Which is a good thing. However the Facebook-owned messaging app does not presently suggest any way to disable the website previews function within WhatsApp — and that does seem a shame.
If it did suggest an option, users with specific concerns — or a very high threat level — could at least choose to close off the risk of metadata leakage via a typed URL route.
In the absence of such an option, I guess a manual workaround is not to type URLs into your WhatsApp talks. Or to use an alternative (e2e) messaging app that doesn’t serve website previews when you want to send URLs to contacts.
For example, the Signal messaging app, whose end-to-end encrypted protocol WhatsApp also uses, does not leak metadata because it does not fetch URL previews.
For those that were asking – @whispersystems #signal doesn’t leak data by fetching previous. I checked (on Android). https://t.co/3D1O8ItMZ9
This too is expected behavior for that other messaging app given Signal’s fuller concentrate on security over mainstream convenience. (And Signal’s user base is also nowhere near the size of WhatsApp’s.)
Point is: Security choices are like horses for courses.
“Please note that I don’t consider this a high security flaw,” emphasizes Mulander of WhatsApp’s GET requests. “Yes they are leaking information but encryption is NOT cracked in their software.
“The information leak is a side channel that a very sophisticated adversary could use to connect metadata and build up extra information on the conversation but the clear text message is not transmitted over the Internet.”
We reached out to WhatsApp for comment on the issue but at the time of writing the company had not responded.
Weighing in via Twitter, software engineer Alec Muffett, who implemented the e2e crypto for Facebook’s private talks feature when he worked at WhatsApp’s parent company, is largely dismissive…
Tho’ others in the infosec space agree a ‘no preview’ option would at least be a nice-to-have in WhatsApp…
I’ll just say: having a "no previews" option would be nice… 🙂
tl;dr, a little more privacy-minded obfuscation and user choice would, arguably, be nice from WhatsApp — and, if implemented well, should not risk overcomplicating its usability.
But the primary issue being flagged up is the perennial tug-of-war inbetween security and convenience. Bottom line: People need to select the suitable security device for their threat level.
While those with specific concerns over digital privacy (say, focused on IP addresses being used for tracking/ad targeting) may need to be ready to give up more tech-enabled convenience than others.
The other issue being underlined here is the need for elaborate technologies to be better articulated by the industry as a entire — to help users understand their relative risk. And to avoid intended trade-offs/design decisions being misconstrued as something more sinister. Or security to be conflated with privacy.
Leave a Reply