back to article WhatsApp app in flap over chap's snap of URL mishap

A developer has found a hole in secure messaging tool WhatsApp's handling of links that could expose some traffic to third parties. The condition, discovered by developer Adam Wolk, arises when a user types a link into a WhatsApp message. Wolk found that, as the URL is entered into the message, WhatsApp pings the host server, …

  1. highdiver_2000

    What about closed networks?

    What happens if I were to type in the URL of a website on a closed network?

    1. Message From A Self-Destructing Turnip

      Re: What about closed networks?

      Error 105 ERR_NAME_NOT_RESOLVED

    2. Dan 55 Silver badge

      Re: What about closed networks?

      I guess it would use the LAN's DNS to resolve the address and then it would generate the postage stamp and text snippet from the page. The person at the other end would tap on the link and probably get server not found.

  2. Adam 1

    unclear

    The log is from server side. The question that I would have is whether that http client is on the local device or from WhatsApps servers. If it is from the servers then it doesn't reveal the user's IP. I would like to see a fiddler log proxying the mobile device itself.

    1. Dan 55 Silver badge

      Re: unclear

      It's from the device, there's no proxy in the middle.

      1. Adam 1

        Re: unclear

        Well that's a big fat fail then. That means any http link is completely transparent to your ISP/BOFH/any other MitM you care to name. Even https could expose some parts via DNS. What's the point of this feature? So you don't ever see a 404?

  3. Anonymous Coward
    Anonymous Coward

    Welcome to my tarpit

    Trust an app to be a bad net neighbor. At best they don't give a shit about the web, and at worst treat it like this scary wilderness (here be dragons) that must be scanned and blacklisted. I bet they don't even use a valid user-agent.

    1. Tom Sparrow
      Flame

      Valid user agent?

      There's no such thing as a valid user agent, they're not regulated by anyone and neither should they be. Don't get me started on the stupidity of all major browsers still being labelled as Mozilla/5.0.

      Why we can't just cut all this out and just use Firefox/56 or Chrome/127 or whatever we're up to now is beyond me.

      In fact, I'm getting a user agent plugin now and updating mine to something sensible. I'm starting a revolution, even if it's just a single grumpy middle aged man revolution.

  4. Anonymous Coward
    Anonymous Coward

    Not a bug, an undocumented feature

    - NSA

  5. This post has been deleted by its author

  6. Hawkuletz

    Just checked - it requests the URL using the phone IP address. What's more, even when using web access from a computer, the requests still come from the phone IP.

  7. Keith Langmead

    Possible blacklisting

    If the website admin is particularly BOFH like there's also a chance you'll get your mobile's IP blacklisted from the webserver. For instance if you've set CSF to block after too many 404's are received, and the file/folder path of the URL being typed is long enough for it to hit that limit.

  8. caffeine addict

    I'm not overly surprised that whatsapp is doing this, but I'm surprised it's coming straight from the app and not from a WhatsApp server.

    What sort of prat does that on a "secure" app? At least Facebook only seems to do it when you hit return.

    Hang on... I just used Facebook as a less-worse option. I may need to go kill myself.

    1. Anonymous Coward
      Anonymous Coward

      Hang on... I just used Facebook as a less-worse option. I may need to go kill myself.

      .. which means live streaming. Funny how this is all planned out in advance. Soylent Green anyone?

      :)

  9. Anonymous Coward
    Anonymous Coward

    Me no understand

    Apparently, this application (and others, judging by the replies on the Twatter post) in order to fetch a preview of the link.

    But what use is a preview to the person sending the link? As opposed to the person receiving it, they presumably already know the contents of whatever they are sending, so what use is the preview? Eye candy?

    1. Anonymous Coward
      Anonymous Coward

      Re: Me no understand

      ElReg says:

      > "Checking URLs, if done properly, still has some major benefits for user security."

      Checking URLs against a blacklist? Maybe¹, but sending a request to the potentially evil URL to see if it crashes / takes over your app does not seem like the most effective approach, security-wise.

      E.g.: https://twitter.com/dr4ys3n/status/874725257722179584

      ¹ Blacklists should be provided as a compressed file to be downloaded and used client-side, as is done with Geo-IP, otherwise the benefits of blacklists are neutralised by the loss of privacy in having the blacklist provider know every detail of your browsing habits.

  10. vogon00

    Never mind the privacy...

    ... here is bollocks design!

    Leaving aside the obvious information leakage and privacy issues (well covered above), who thinks it is acceptable to waste bandwidth ('cheap' xDSL/DOCSIS or 'expensive' cellular) and server-side resources with this 'char by char' lookup rubbish?

    And don't get me started on the probable* piss-poor performance of the client app due to the latency if the public WAN/lower layers.

    What a waste! When will people realise that bandwidth is neither free or limitless, and as a designer you have an obligation to minimise it's use by what you write.

    This shoddy design makes my teeth itch!

    No wonder ever increasing broadband speed is of such importance...it has to carry all this cruft..as well as the cruft that masquerades as 'content'.

    (* One is not a WhatsApp user, so I cannot test my assumption)

    1. matjaggard

      Re: Never mind the privacy...

      Perhaps this is one of the concessions to the network providers. Sorry, you can't make any cash out of SMS any more, but on a brighter note, we'll do our best to increase data usage!

  11. Anonymous Coward
    Anonymous Coward

    Does Signal do the same thing?

    Does Signal do the same thing, or is this "feature" something added stupidly/deliberately to WhatsApp by Facebook?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like