7

When we want to send a message that contains only a link - such as a question from the Stack Exchange network - WhatsApp displays information from the website as below:

enter image description here

Does this leak information about what was sent, and from who, and to whom?

We can assume that WhatsApp uses an internal browser and doesn't send information to itself. However, above already seems to be a leak since the user has already looked there before sharing.

What about a collaborative attack between Google and WhatsApp combined? WhatsApp sees the message sent and Google sees the site that has been looked up.

So, does above leak information?

Pouya Esmaeili
  • 139
  • 10
kelalaka
  • 5,409
  • 4
  • 24
  • 47

1 Answers1

9

WhatsApp client makes http GET request to the site sender types in, in order to fetch site's meta properties that show up in preview.

<meta property="og:title" content="Information Security Stack Exchange">
<meta property="og:description" content="Q&A by infosec enthusiasts">
<meta property="og:image" content="https://cdn.sstatic.net/Sites/security/Img/logo.svg?v=f9d04c44487b">
<meta property="og:url" content="https://security.stackexchange.com">

The http request is not protected by E2EE so it can be sniffed by MITM. If the requested site is not using https, the query string and site's meta content can also be seen by the observer. If the sender forgets to put space between the query string of the URL and the next immediate word after the query string, that word is leaked as being a part of query string.

https://security.stackexchange.com/questions/241076/does-whatsapps-link-preview-on-the-link-messages-leaks-informationSECRET ... text ... message ... contents ...

The SECRET will be queried to the requested site. WhatApp client also tries to query sites that does not exist as long as the typed word matches with the regex of URL. As for the requested site, it doesn't know who is requesting it and to whom the URL is being sent.

If Bob tricks Alice to type URL of the web service he controls, he will be able to learn her IP Address and probably her location too. To fix this, Signal uses proxy server for link previews.

defalt
  • 6,231
  • 2
  • 22
  • 37