Hi HN, op here.<p>I posted this not because I was angry on having a GET request sent to my server on a char by char basis. My main concerns were privacy related, since I posted this some additional things came to light:<p>1) This leaks the IP address of the person writing the msg<p>2) When property="og:image" is used it also leaks the User Agent and Android version [1]<p>3) When presented with invalid headers as a reply it can cause a crash on IOS, which mean this is a potential RCE vector [2]<p>4) It leaks the exact time an URL is typed into a chat<p>5) It's on by default, this is the default behavior in E2E encrypted conversations [3]<p>I don't use WhatsApp, I found this out by accident as I just have a habit to tail my logs. I know though that Signal doesn't
do any of this pre-fetching. I am aware this is a 'feature' but there's no place for it when security is involved.<p>[1] <a href="https://twitter.com/0xjomo/status/874585822158352384" rel="nofollow">https://twitter.com/0xjomo/status/874585822158352384</a>
[2] <a href="https://twitter.com/dr4ys3n/status/874725257722179584" rel="nofollow">https://twitter.com/dr4ys3n/status/874725257722179584</a>
[3] <a href="https://mastodon.social/@rysiek/9146943" rel="nofollow">https://mastodon.social/@rysiek/9146943</a>
Did you all know that chrome does this too? May sound obvious but I always had assumed that nothing is sent until you press enter for some reason (yeah I know, search prediction would be impossible without that). But one day I was type in a path on a test URL and noticing my server getting hit on - every single letter.
In order to produce the link preview, probably. As far as why it's character by character, I don't know, but that doesn't seem very sinister to me. Checking URLs letter by letter is sloppy, especially if you're not even trying to do auto completion, but it doesn't reveal any more information than a complete url could. Anyway, I would think they are expecting people to paste URLs in, not type them.<p>I've written code to fetch sites and give a preview, for a bookmarking bookmarklet. This involves analyzing the html for title and to select best image to represent the page. That of course necessitates retrieving the page, either through the client or server.
E: Disregard. Whatsapp is doing exactly what they should be doing. Telegram seems to proxy the requests.<p>Why is no one saying anything about end to end crypto?<p>Whatsapp shouldn't be able to see my messages, isn't that what they say themselves?
This makes me think of another potential privacy risk: if you paste a URL in WhatsApp, or click Android's share button and select WhatsApp, it doesn't add a space after the url. Most users are probably aware that they have to add a space, but if they forget, WhatsApp will probably send the first word of the rest of the message to the server. (Similarly if you paste a URL at the start of an already-written message, but maybe that's even more contrived.)
Apparently several other messaging apps behave similarly, from the replies in that tweet there were mentions of Facebook Messenger[0] and Telegram[1].<p>[0]<a href="https://pbs.twimg.com/media/DCRsz7mXUAAEbKK.jpg" rel="nofollow">https://pbs.twimg.com/media/DCRsz7mXUAAEbKK.jpg</a>
[1]<a href="https://pbs.twimg.com/media/DCSyWs0XcAAQb2N.jpg" rel="nofollow">https://pbs.twimg.com/media/DCSyWs0XcAAQb2N.jpg</a>
On the one hand it provides a greater user-experience if Whatsapp can figure out the URL and preview information about the posted URL (like any social network does today, even we do it at STOMT when you attach an URL to your feedback).<p>On the other hand i do not get why they send it after every character. Makes it even faster but creates a bunch of unnecessary requests. Not very user friendly. They could do it after they recognize a finished URL (as soon as there is a space). And as pointed out in the tweets it COULD harms the users privacy.
One aspect is the lack of debounce, but also revealing the endusers ip and user agent. They could proxy external link requests via whatsapp servers without breaking end to end encryption. wonder what iMessage does ?!
probably whatsapp web version? it adds some kind of description if you send an url: <a href="https://i.imgur.com/Rkl2cZJ.png" rel="nofollow">https://i.imgur.com/Rkl2cZJ.png</a>