Twitter | Search | |
Adam Wołk
Very creepy , someone was apparently typing in an URL and WhatsApp was fetching it off my server char-by-char
Reply Retweet Like More
Pan Yatsaman 🇵🇱 💯 13 Jun 17
Not only that, but it also means that they try to access (and maybe parse, record and store) ANY web link you're sending through it
Reply Retweet Like
Adam Wołk 13 Jun 17
It also allows metadata analysis of who communicates with who. For unique URL's you can time when it was sent and from where visited.
Reply Retweet Like
Owen Campbell-Moore ✪ 13 Jun 17
Honest q: what is the right way? Debouncing could be nice, but overall this looks not too bad?
Reply Retweet Like
Adam Wołk 13 Jun 17
a) don't do this by default on a e2e encrypted app, this leaks data b) do the request once
Reply Retweet Like
Adam Wołk 13 Jun 17
one more thing, stutter the time you do the request - so it's not obvious when exactly the user typed that message.
Reply Retweet Like
KVaibhav 13 Jun 17
I didn't get it. Why ur server? How can u see this data on ur server.?
Reply Retweet Like
Adam Wołk 13 Jun 17
It's my blog, on my own server, a WhatsApp user entered a URL to my post in a chat and WhatsApp went in to grab the post (off my server).
Reply Retweet Like
Shitcoin Jesus 13 Jun 17
Wait, so if I make somebody type in their whatsapp chat without sending it, I will see secret_thing in my log? uhh..
Reply Retweet Like
Brownout ☕🍵 13 Jun 17
Replying to @yatsaman @b9AcE and 2 others
the source IP address seems to indicate it's the client sending requests, not WhatsApp servers, so "they" don't access, record or store URLs
Reply Retweet Like
Adam Wołk 13 Jun 17
exactly, at the exact moment they type it - char by char.
Reply Retweet Like
Adam Wołk 13 Jun 17
yep, the end 2 end encrypted app is just leaking the IP of the person entering the message and the exact time he types that in...
Reply Retweet Like
jomo@mstdn.io 13 Jun 17
Using a proxy would be much worse because that proxy could collect all the information, thus breaking the e2e.
Reply Retweet Like
Adam Wołk 13 Jun 17
doing a GET request over the internet is already violating e2e - a site can be a third party.
Reply Retweet Like
jomo@mstdn.io 13 Jun 17
That is correct (although you probably visited the link you're sharing anyway). And the fetch-as-you-type takes it to a new level.
Reply Retweet Like
Adam Wołk 13 Jun 17
if you typed that in as a warning to a friend to avoid the URL you would be flagged for extra surveillance.
Reply Retweet Like
The Best Linux Blog In the Unixverse 13 Jun 17
Replying to @mulander @WhatsApp
You need web app firewall to block those bots. I block them at edge level.
Reply Retweet Like
Adam Wołk 13 Jun 17
Replying to @nixcraft @WhatsApp
How do you block these? The requests are made from the mobile owned by the person entering the URL.
Reply Retweet Like
Adam Wołk 13 Jun 17
They advertise with E2E crypto for private comms - this leaks the clients IP and the time he entered the URL. Slack is a group work chat.
Reply Retweet Like
Adam Wołk 13 Jun 17
user-agent is past the firewall level
Reply Retweet Like