Multidimensional Bertrand Le Roy @bleroy Dev at Microsoft / Xamarin. Orchard CMS founder. Entered the US with a H1B, won Diversity Visa lottery, then became citizen. Opinions expressed here are my own. May. 11, 2019 2 min read

WhatsApp communication are end-to-end encrypted, right?

Well, yes, but it still leaks confidential information. Here's an interesting story that happened to me this morning...

1/

-- How WhatsApp leaked my private information to advertisers --

This morning, I was chatting with my friend @morrisonbrett on WhatsApp about laptops. He was telling me how he was excited about the new Dell he bought, and I told him how much I liked the one I got recently.

2/

Anyway, just some random chatting as friends do, not anyone else's business, especially advertisers, which is why that conversation was had on WhatsApp, given that it's encrypted. Right? Right?

3/

Well, think again. Almost immediately after that, I started getting exclusively Dell XPS ads on YouTube. WTAFF? How is that possible? Also, why would the Facebook-owned, fully encrypted app give confidential information to the competition?

4/

Here's how... My friend had included a YouTube search link for reviews of the model he had ordered. Note that I did not even click on the link. All I "did" was receive it. And just like that, my friend had successfully, albeit involuntarily hacked my YouTube account.

5/

More specifically, what happened is that WhatsApp rendered a rich preview of the link in my chat feed. That required that a request went out to YouTube with enough information for them to know it was me, and to proceed to use that leaked data to serve "relevant ads" to me.

6/

Conclusion: WhatsApp, despite being end-to-end encrypted, still leaks private information by making non-sandboxed queries to external web sites. It should not do that.

7/

Any external queries from the WhatsApp client needs to be strictly sandboxed and anonymized. Otherwise, its privacy claims are a joke.

8/ and end of thread.

At his point, having learned more about how those previews are supposed to be working, I'm a lot more puzzled about what really happened. If somebody has an independent repro, please chime in. Thanks to y'all who participated in this chat.

So what did I learn today?

* WhatsApp generates previews at the src, not the dest
* GBoard is scary, but irrelevant
* Coincidences exist
* Better to ask questions than jump to conclusions
* That you're paranoid doesn't mean they're not after you
* Twitter is exhausting


You can follow @bleroy.



Bookmark

____
Tip: mention @threader_app on a Twitter thread with the keyword “compile” to get a link to it.

Enjoy Threader? Become member.