mulanderJun 12, 2017
Very creepy @WhatsApp, someone was apparently typing in an URL and WhatsApp was fetching it off my server char-by-char https://mastodon.social/media/96lwJ5IyFyVXx6t85qQ
Show threadRysiekúr (old account)Jun 14, 2017

@mulander @WhatsApp what I want to know is:

1. if this also happens in an encrypted conversation?

2. is the source IP address a WhatsApp server, or the user device?

Some testing to be had, I guess.

Show threadRysiekúr (old account)Jun 14, 2017

@WhatsApp @mulander and we have answers:

ad.1. yes, this happens in an encrypted chat

ad.2. yes, it's the user's device IP address (so that's a relief)

Consider, though: this means that an eavesdropper sitting on the same network can see the DNS queries and IP, and potentially the domain name and contents (if not an HTTPS site) of whatever a user is typing in an encrypted chat!

Show threadRysiekúr (old account)Jun 14, 2017
@mulander @WhatsApp oh boy, it gets worse (sorry for the birdsite link): https://twitter.com/dr4ys3n/status/874725257722179584
Show threadRysiekúr (old account)Jun 14, 2017

@WhatsApp @mulander for the record, that means a MITM can hijack a request to an innocent HTTP link, and inject shit that will crash the app.

And if the app is crashing you know there's a potential exploit there somewhere.

#InfoSec #Fail

Show threadmulander

@rysiek @WhatsApp yeah, most people on birdsite think I'm mad at the fact they are requesting char-by-char due to bandwith.

It's an end 2 end encrypted communicator that does out of band GET requests leaking your IP, user agent + android version (with the image:og metadata), time at which you are writing the message and on top of that has a likely RCE vector with that content typ trick.

Jun 14, 2017 at 1:04pmWeb
Show threadRysiekúr (old account)Jun 14, 2017
@mulander @WhatsApp this. So very much this.