WhatsApp communication are end-to-end encrypted, right?
Well, yes, but it still leaks confidential information. Here's an interesting story that happened to me this morning...
-- How WhatsApp leaked my private information to advertisers --
This morning, I was chatting with my friend @morrisonbrett on WhatsApp about laptops. He was telling me how he was excited about the new Dell he bought, and I told him how much I liked the one I got recently.
Anyway, just some random chatting as friends do, not anyone else's business, especially advertisers, which is why that conversation was had on WhatsApp, given that it's encrypted. Right? Right?
Well, think again. Almost immediately after that, I started getting exclusively Dell XPS ads on YouTube. WTAFF? How is that possible? Also, why would the Facebook-owned, fully encrypted app give confidential information to the competition?
Here's how... My friend had included a YouTube search link for reviews of the model he had ordered. Note that I did not even click on the link. All I "did" was receive it. And just like that, my friend had successfully, albeit involuntarily hacked my YouTube account.
More specifically, what happened is that WhatsApp rendered a rich preview of the link in my chat feed. That required that a request went out to YouTube with enough information for them to know it was me, and to proceed to use that leaked data to serve "relevant ads" to me.
Conclusion: WhatsApp, despite being end-to-end encrypted, still leaks private information by making non-sandboxed queries to external web sites. It should not do that.
Any external queries from the WhatsApp client needs to be strictly sandboxed and anonymized. Otherwise, its privacy claims are a joke.
8/ and end of thread.
At his point, having learned more about how those previews are supposed to be working, I'm a lot more puzzled about what really happened. If somebody has an independent repro, please chime in. Thanks to y'all who participated in this chat.
So what did I learn today?
* WhatsApp generates previews at the src, not the dest
* GBoard is scary, but irrelevant
* Coincidences exist
* Better to ask questions than jump to conclusions
* That you're paranoid doesn't mean they're not after you
* Twitter is exhausting
You can follow @bleroy.
Tip: mention @threader_app on a Twitter thread with the keyword “compile” to get a link to it.
Enjoy Threader? Sign up.
Threader is an independent project created by only two developers. The site gets 500,000+ visits a month and our iOS Twitter client was featured as an App of the Day by Apple. Running this space is expensive and time consuming. If you find Threader useful, please consider supporting us to make it a sustainable project.