Socially Distant Bertrand Le Roy | BLM
+ Your AuthorsArchive @bleroy Dev @ Microsoft / Azure Cognitive Search. Orchard CMS founder. Entered US with a H1B, won DV lottery, became citizen. Swears a fucking lot. Opinions are my own. May. 11, 2019 2 min read

WhatsApp communication are end-to-end encrypted, right?

Well, yes, but it still leaks confidential information. Here's an interesting story that happened to me this morning...


-- How WhatsApp leaked my private information to advertisers --

This morning, I was chatting with my friend @morrisonbrett on WhatsApp about laptops. He was telling me how he was excited about the new Dell he bought, and I told him how much I liked the one I got recently.


Anyway, just some random chatting as friends do, not anyone else's business, especially advertisers, which is why that conversation was had on WhatsApp, given that it's encrypted. Right? Right?


Well, think again. Almost immediately after that, I started getting exclusively Dell XPS ads on YouTube. WTAFF? How is that possible? Also, why would the Facebook-owned, fully encrypted app give confidential information to the competition?


Here's how... My friend had included a YouTube search link for reviews of the model he had ordered. Note that I did not even click on the link. All I "did" was receive it. And just like that, my friend had successfully, albeit involuntarily hacked my YouTube account.


More specifically, what happened is that WhatsApp rendered a rich preview of the link in my chat feed. That required that a request went out to YouTube with enough information for them to know it was me, and to proceed to use that leaked data to serve "relevant ads" to me.


Conclusion: WhatsApp, despite being end-to-end encrypted, still leaks private information by making non-sandboxed queries to external web sites. It should not do that.


Any external queries from the WhatsApp client needs to be strictly sandboxed and anonymized. Otherwise, its privacy claims are a joke.

8/ and end of thread.

At his point, having learned more about how those previews are supposed to be working, I'm a lot more puzzled about what really happened. If somebody has an independent repro, please chime in. Thanks to y'all who participated in this chat.

So what did I learn today?

* WhatsApp generates previews at the src, not the dest
* GBoard is scary, but irrelevant
* Coincidences exist
* Better to ask questions than jump to conclusions
* That you're paranoid doesn't mean they're not after you
* Twitter is exhausting

You can follow @bleroy.


Tip: mention @threader_app on a Twitter thread with the keyword “compile” to get a link to it.

Enjoy Threader? Sign up.

Since you’re here...

... we’re asking visitors like you to make a contribution to support this independent project. In these uncertain times, access to information is vital. Threader gets 1,000,000+ visits a month and our iOS Twitter client was featured as an App of the Day by Apple. Your financial support will help two developers to keep working on this app. Everyone’s contribution, big or small, is so valuable. Support Threader by becoming premium or by donating on PayPal. Thank you.

Follow Threader