One of the major advantages of the WhatsApp text, voice, photo and video messaging service is its end-to-end encryption of messages. The app, which is owned by Facebook, doesn’t necessarily offer the most highly protected service, but the feature is a major advantage for a messaging service that is the most widely used in the world. The encryption may protect messages from snooping from hackers or governments, but it became apparent this week that the way WhatsApp deals with website links sent on the app exposes information about users.
This weak spot was first disclosed this week by an anonymous software developer -- who goes by the name mulander on Twitter -- after he discovered something odd when he examined the operation of the server for his blog. It turns out that when someone types Web addresses in the app, WhatsApp sends the address to the desired website's server letter-by-letter. This gives the user a faster preview of the requested page, but it also creates the security lapse. Facebook has not yet responded to Haaretz's inquiry on the subject.
The main problem is that WhatsApp doesn't disguise the source of the request, thereby revealing details about the user's device, including its unique IP address. In comments on an online conversation thread on the issue, other software developers confirmed that they too could replicate the problem and were seeking to investigate how the weakness could be exploited by those with hostile intentions, either to track users or to cause the app itself to crash.
An information security expert consulted by Haaretz confirmed that there is a problem and said avoiding possible exposure to the loophole in WhatsApp's encryption requires the user to forgo use of the website preview feature entirely.