mulander
Very creepy @WhatsApp, someone was apparently typing in an URL and WhatsApp was fetching it off my server char-by-char https://mastodon.social/media/96lwJ5IyFyVXx6t85qQ
Jun 12, 2017 at 8:59pmWeb
Show threadfo0 :radioactive:Jun 12, 2017
@mulander @WhatsApp curl -A "WhatsApp/2.17.190 A" http://blog.tintagel.pl/ :)
Show thread🛄 chitter.xyzJun 12, 2017
@mulander hecc
Show threadPietro GagliardiJun 12, 2017
@mulander @KitRedgrave not sure if creepy because spying or creepy because incompetent programming (does whatsapp let you share URLs?)
Show threadmulanderJun 12, 2017

@andlabs @KitRedgrave I assume it's a site preview URL like a thumbnailer. The problems I have with it are:

1. It freaking fires on each character entered, wasting bandwidth.

2. It fires while the user is still typing, if you write a toot and don't hit 'TOOT' you don't expect the world to know you entered a URL.

3. If they do it for URL's they probably keep un-submitted text like Facebook does (they were bought by FB).

Show threadPietro GagliardiJun 12, 2017

@mulander it's that first thing that makes me say "incompetent"

unless the person manually typed the URL in I don't see how this could possibly happen

Show threadmulanderJun 12, 2017
@andlabs what's app is mostly used on mobile. I can imagine someone re-typing an URL to a mobile (did that in the past). Granted, it's possible they just fucked up the implementation :)
Show threadShawn WebbJun 13, 2017
@mulander @KitRedgrave @andlabs Time to rm -f WhatsApp from my phone.
Show threadBrandon HallJun 12, 2017
@WhatsApp @mulander That's creepy and all but props to you for having a reader loyal enough to remember the URL of one of your posts! 🎉🎊 #blogging #writing
Show threadalexandra catalinaJun 13, 2017
@mulander that's how it does the little preview box right
Show threadRysiekúr (old account)Jun 14, 2017
@mulander @WhatsApp what the actual...
Show threadالتنينوكسJun 14, 2017
@WhatsApp @mulander This is more likely a malware stealing whatsapp signature. Why have no other admin noticed this before?
Show threadRysiekúr (old account)Jun 14, 2017

@mulander @WhatsApp what I want to know is:

1. if this also happens in an encrypted conversation?

2. is the source IP address a WhatsApp server, or the user device?

Some testing to be had, I guess.

Show threadRysiekúr (old account)Jun 14, 2017

@WhatsApp @mulander and we have answers:

ad.1. yes, this happens in an encrypted chat

ad.2. yes, it's the user's device IP address (so that's a relief)

Consider, though: this means that an eavesdropper sitting on the same network can see the DNS queries and IP, and potentially the domain name and contents (if not an HTTPS site) of whatever a user is typing in an encrypted chat!

Show threadRysiekúr (old account)Jun 14, 2017
@mulander @WhatsApp oh boy, it gets worse (sorry for the birdsite link): https://twitter.com/dr4ys3n/status/874725257722179584
Show threadRysiekúr (old account)Jun 14, 2017

@WhatsApp @mulander for the record, that means a MITM can hijack a request to an innocent HTTP link, and inject shit that will crash the app.

And if the app is crashing you know there's a potential exploit there somewhere.

#InfoSec #Fail

Show threadmulanderJun 14, 2017

@rysiek @WhatsApp yeah, most people on birdsite think I'm mad at the fact they are requesting char-by-char due to bandwith.

It's an end 2 end encrypted communicator that does out of band GET requests leaking your IP, user agent + android version (with the image:og metadata), time at which you are writing the message and on top of that has a likely RCE vector with that content typ trick.

Show threadRysiekúr (old account)Jun 14, 2017
@mulander @WhatsApp this. So very much this.
Show threadIuri GuilhermeJun 16, 2017
I find it hard to believe that a whatsapp user would type an url.