Yes, sending a simple link through WhatsApp or any similar instant messaging application can compromise our security and privacy. This is believed by a group of security researchers who have shown how our IP address could be revealed even in end-to-end encrypted chats. They could also collect data in the background. This is due to the preview generated by these links in the messaging applications .
Sending a simple link on WhatsApp can be dangerous
It is very common for us to share links through messaging applications such as WhatsApp or Facebook Messenger . Now, is this safe? On paper we could say yes. These are reliable applications, which are end-to-end encrypted and in which we should not have security problems.
However, a group of researchers has reported that sharing links through these types of platforms can be dangerous. This is for the preview of those links that we share. This causes those services to filter the IP address and can expose the links.
Why is this happening? Many applications depend on servers to generate those previews of the links we share. That is, what they do is send those links to a server so that the preview is generated and for that reason they could violate the privacy of the users.
Keep in mind that link preview is a common feature in most applications of this type. We speak for example of WhatsApp or Signal. Of course, some of these applications have the option to prevent them from opening in preview.
Normally these applications send that link to a server and automatically resend it to both the sender and the recipient. They can also generate that preview on the sender side. We can do the test if we try to send a link by WhatsApp. As soon as we copy the link, the link is shown as is. However, if we wait a few seconds, the preview opens.
Sender side previews
Sender side link previews are used in WhatsApp, Signal, Apple iMessage, or Viber. What they do is download that link , followed by creating the preview image and summary of that link. It is subsequently sent to the recipient. Once the recipient’s app receives the preview, it displays the message without opening the link.
The problem is that those previews generated on the issuer side can open the door to certain security risks . They could allow an attacker to check the approximate location simply by sending that link to a server controlled by him.
The latter happens because the messaging application , upon receiving a message with a link, opens the URL automatically to create the preview by revealing the IP address of the phone in the request sent to the server.
Now, in the event that this link is sent to a server to generate the preview, we could also have problems. In this case, the leakage of IP addresses could be avoided, but the problem arises that this server can store the links received. Applications such as Discord, Google Hangouts, Instagram, LINE, Slack or Twitter, among others, are based on this method. In no case do they inform users that external servers are downloading the links.
Each application can store the links on its servers for a specified time. For example, security researchers indicated that Slack caches those links for 30 minutes.