A developer has found a hole in secure messaging tool WhatsApp’s handling of links that could expose some traffic to third parties.
The condition, discovered by developer Adam Wolk, arises when a user types a link into a WhatsApp message. Wolk found that, as the URL is entered into the message, WhatsApp pings the host server, checking for a valid page each time a new character is typed.
In other words, while all messages sent via WhatsApp remain secured, the requests would be seen, potentially, by the owner of the site or anyone who had access to network traffic (ie, a man-in-the-middle attacker).
This, say privacy advocates, creates some potential risks for users who believe they are on a fully secure connection when using WhatsApp.
“You can see where someone made a design decision there – if you assume that people copy rather than type in URLs, well, it’s probably fine because they just visited it anyway. But it becomes less fine when, say, you were careful to visit that site over Tor, but now your IP address is leaked to the server because you typed it in the message,” EFF staff technologist Erica Portnoy told The Register.
“Imagine you found out that someone posted revenge porn about you, and WhatsApp just leaked your IP address, which gives the person running the website information about your location. You can imagine why that might be a problem.”
El Reg understands that WhatsApp knows about the issue and plans to remedy it in future versions by limiting the number of requests sent when typing in a URL. The WhatsApp agent will also be adjusted to transmit less information to the host server when checking a URL.
That is not to say that WhatsApp is going to get rid of URL checks altogether – nor should they. Checking URLs, if done properly, still has some major benefits for user security. Rather, WhatsApp should give users a choice to turn the feature off or limit what it shares.
“There are some good reasons for WhatsApp’s choice here, including checking links against a blacklist of malware sites and loading previews, but users should absolutely have control over this behavior,” Portnoy explained.
“It’s better to have it as an opt-in feature for users with lower security needs rather than springing it on the people who this behavior might harm.”