Today mulander made a very interesting tweet regarding WhatsApp and the way it’s trying to fetch information about a URL you are typing. It seems that while you are typing the WhatsApp client is trying to fetch information about the website real-time. What is happing, why is it happening and is it a cause for concern?
— mulander (@mulander) June 12, 2017
What is happening?
When someone is writing an URL in WhatsApp, the server is queried real-time revealing the URL someone is typing. For example, when I type a non-existent URL in a WhatsApp message, even without sending the message this is what appears in the Apache (server) logs:
All of the information above is visible for the server admin.
Why is it happening?
When you write a message to someone in WhatsApp, it tries to “enhance” your message by generating a preview of the page you are going to send. When you send the message this preview is shown next to the URL.
On the background, the messaging client is trying to fetch the website to generate this preview. Instead of waiting until the user has completed the URL (e.g. waiting for space or enter) the client fetches the URL every time a character is added.
Cause for concern?
WhatsApp is advertising itself as a secure messaging application. While the end-to-end encryption certainly does its job to keep the communication secure, however, this “feature” leaks a bit of information about the sender. As you can see the log does not only contain the URL that is being shared, but it also contains the clients IP address and WhatsApp version. It also almost functions like a keylogger while being limited to only the characters contained within the URL.
When the URL points towards an image, the complete user agent is disclosed.
Not only the IP address is now known, but also the Dalvik version, Android version, Phone model and Build number.
This all combined gives quite a bit of personal information about the sender. It’s the same information you would disclose when you visit the website on your phone. However, I would argue that most people won’t expect that this also happens when you simply try to share a link on WhatsApp.
The easiest way to fix this is to proxy all requests through a server of WhatsApp, but this is something Facebook/WhatsApp needs to change. Until that time, you might want to use a VPN on your phone, or don’t share an URL if you don’t want to disclose your IP to the owner of the website. It should also be noted that Telegram does the same, but not character by character. It’s not a big data leak, but something to keep in mind the next time you share an URL.