Another reminder that if you want perfect security or privacy online you shouldn’t expect every single bell and whistle of tech-enabled convenience to be handily on tap.
End-to-end encrypted messaging app WhatsApp has been shown leaking metadata as users type URLs within chats, in a way that could — at least in theory — offer a route for a sophisticated adversary to obtain a user’s IP address.
The behavior is almost certainly a result of a convenience feature the messaging app offers its mainstream user base by serving up a preview of URLs within chats as they type. To be clear, no actual message data is leaking here. Chats are still e2e encrypted. WhatsApp is still a secure messaging option for mainstream users.
But in some instances the app could also leak the user agent and Android version as well as the IP address metadata, via this route. This is according to third party developer, @mulander, who identified and flagged the issue via Twitter. He’s also posted a short summary of findings on Hacker News.
Mulander says he came across the behavior because he self-hosts his email and blog, and noticed WhatsApp’s GET requests coming in, character by character, while he was looking at his web serving software logs.
Others joining the discussion on Twitter said they were able to replicate the behavior.
“The information the application is currently leaking is: the IP address, Android version and WhatsApp version of the phone the person entering the URL uses, the exact URL being typed in and the exact time each keystroke happens,” Mulander told us.
“It’s not possible for [WhatsApp] to obtain the preview and not leak the IP address of the requester (and it’s good that they don’t do the request on behalf of the user as that would mean they get to know the content of the message which is not the case).”
But he suggests WhatsApp could stutter these GET requests to obscure (if slightly) the moment when a user is typing a URL. Rather than fetch it character by character in real-time, which does leak typing cadence and, potentially, other unintended information — say, a second URL or some words mistakenly entered after the first URL without being separated by a space.
He also argues WhatsApp could disable website previews by default — though a mainstream app cannot realistically function by shielding convenience-focused features from its users, given that, as a general rule, those users are unlikely to be able to ferret out such functions on their own; ergo, they need (and expect) convenience served up for them.
And it is, after all, WhatsApp’s convenience that has helped make e2e encryption messaging accessible for so many mainstream app users. Which is a good thing. However the Facebook-owned messaging app does not currently offer any way to disable the website previews function within WhatsApp — and that does seem a shame.
If it did offer an option, users with specific concerns — or a very high threat level — could at least choose to close off the risk of metadata leakage via a typed URL route.
In the absence of such an option, I guess a manual workaround is not to type URLs into your WhatsApp chats. Or to use an alternative (e2e) messaging app that doesn’t serve website previews when you want to send URLs to contacts.
For instance, the Signal messaging app, whose end-to-end encrypted protocol WhatsApp also uses, does not leak metadata because it does not fetch URL previews.
This too is expected behavior for that other messaging app given Signal’s fuller focus on security over mainstream convenience. (And Signal’s user base is also nowhere near the size of WhatsApp’s.)
Point is: Security choices are like horses for courses.
“Please note that I don’t consider this a high security flaw,” emphasizes Mulander of WhatsApp’s GET requests. “Yes they are leaking information but encryption is NOT broken in their software.
“The information leak is a side channel that a very sophisticated adversary could use to connect metadata and gain additional information on the conversation but the clear text message is not transmitted over the Internet.”
We reached out to WhatsApp for comment on the issue but at the time of writing the company had not responded.
Weighing in via Twitter, software engineer Alec Muffett, who implemented the e2e crypto for Facebook’s private chats feature when he worked at WhatsApp’s parent company, is largely dismissive…
Though others in the infosec space agree a ‘no preview’ option would at least be a nice-to-have in WhatsApp…
tl;dr, a little more privacy-minded obfuscation and user choice would, arguably, be nice from WhatsApp — and, if implemented well, should not risk overcomplicating its usability.
But the primary issue being flagged up is the perennial tug-of-war between security and convenience. Bottom line: People need to select the appropriate security tool for their threat level.
While those with specific concerns over digital privacy (say, focused on IP addresses being used for tracking/ad targeting) may need to be prepared to give up more tech-enabled convenience than others.
The other issue being underlined here is the need for complex technologies to be better articulated by the industry as a whole — to help users understand their relative risk. And to avoid intended trade-offs/design decisions being misconstrued as something more sinister. Or security to be conflated with privacy.