6 private links
I posted this not because I was angry on having a GET request sent to my server on a char by char basis. My main concerns were privacy related, since I posted this some additional things came to light:
1) This leaks the IP address of the person writing the msg
2) When property="og:image" is used it also leaks the User Agent and Android version [1]
3) When presented with invalid headers as a reply it can cause a crash on IOS, which mean this is a potential RCE vector [2]
4) It leaks the exact time an URL is typed into a chat
5) It's on by default, this is the default behavior in E2E encrypted conversations [3]
I don't use WhatsApp, I found this out by accident as I just have a habit to tail my logs. I know though that Signal doesn't do any of this pre-fetching. I am aware this is a 'feature' but there's no place for it when security is involved.
[1] https://twitter.com/0xjomo/status/874585822158352384
[2] https://twitter.com/dr4ys3n/status/874725257722179584
[3] https://mastodon.social/@rysiek/9146943