A WhatsApp Bug That Anyone Could Have Found
This WhatsApp bug caused link previews to generate despite the "Disable link previews" setting, potentially exposing user IP addresses. This privacy bypass could enable deanonymization or targeted attacks. Anyone could have found it, but here's how I did it.
The Beginning
I had finished up with my 12th board exams, and the competitive exams were finally wrapping up. It was a lazy day, perfect for unwinding with YouTube songs playing in the background for hours now, multitasking with nothing serious on my mind. At one point, I casually browsed some UN target sites before moving on.
Later, around 11:30 AM, I opened Google Chrome on my mobile and saw a suggested news article. It was random but I decided to share it with two of my friends on WhatsApp. That’s when things got interesting.
Discovering The Accidental Flaw
I had simply tapped "Share", chose WhatsApp, selected my two contacts, and sent the link. And just moments later, I realized the link preview appeared. I was like, wait a minute...
Why? I had recently set up WhatsApp on my new smartphone and enabled the "Disable link previews" option under advanced privacy settings to prevent previews when I send links.
Getting curious about the preview showing up, I sent another link to myself and another number on WhatsApp to confirm. The preview appeared again.
I immediately checked the Meta’s Bug Bounty guidelines and found "deanonymization" as a possible fitting category. Also, on checking with WhatsApp for "Disable link previews," which stated, "The Disable link previews setting doesn’t impact links that you receive from others. Receiving link previews has no impact on your IP address." Yet in my case, sending a link to multiple contacts generated a preview, which was indeed a flaw.
To escalate further, I tested with IP logger to see if it is possible to leak my IP address, but the preview seemed to be fetched by a WhatsApp proxy bot. Still, the core intended security feature was failing its purpose. I decided to report it and recorded a quick screen recording as proof of concept.
Steps to Reproduce
First, ensure "Disable link previews" is turned on in WhatsApp by going to ⋮ > Settings > Privacy > Advanced.
- Open an app that supports sharing links and can generate a link preview, like a news or blog site.
- Select the link and share it via WhatsApp, choosing two or more contacts.
- Tap send. The link appears in a text field, and a preview is generated despite the setting.
Post-Report Submission
I submitted the report to Meta on August 30, 2024. There was a small mix-up at first, I accidentally submitted the report twice (like a race-condition), and Meta closed one as a duplicate. After clarifying which was the original, they began investigating.
Later on October 2, 2024, I was on a late-evening Google Meet with a friend, debugging a code. As the call came to an end, I noticed my email and saw Meta’s response on the bug being confirmed, and was even awarded a bounty!
This WhatsApp bug could have been found by anyone out of the billions of active users. It didn’t require advanced coding or hacking skills, just noticing something off and digging deeper. All it takes is a curious hacking mindset. If you see something unusual, explore it. You might uncover something different, just like how I found out, simple yet impactful.
Timeline
- Reporting: August 30, 2024
- Original Report Confirmation: September 3, 2024
- Bounty Awarded ($500): October 2, 2024
- Bug Patched: October 23, 2024
Do not forget to stay tuned for more writeups.
Interested to read about one more such simple bug which I found out in the Google VRP too?
