I send you a link to my server you don’t need to click on it for me to know your IP.
That said there isn’t a very good solution for this.
Link preview is a user requested feature they can’t disable it.
Doing link previews on the backend would expose what you share to W/A which ain’t good either.
The only remotely viable option is that the sender must generate the link preview and then they send it but then that can be potentially exploited for other things.
The reply is generated by the server in question, using information available to it.
Essentially, the point here is that WhatsApp is "clicking" the link (to generate a preview) with a resulting connection from the client's device, without user interaction.
So you can send a link to a server you control and harvest the recipient's client device IP, without the need for them to click on it.
17 comments
[ 2.6 ms ] story [ 50.6 ms ] threadThat said there isn’t a very good solution for this.
Link preview is a user requested feature they can’t disable it.
Doing link previews on the backend would expose what you share to W/A which ain’t good either.
The only remotely viable option is that the sender must generate the link preview and then they send it but then that can be potentially exploited for other things.
Essentially, the point here is that WhatsApp is "clicking" the link (to generate a preview) with a resulting connection from the client's device, without user interaction.
So you can send a link to a server you control and harvest the recipient's client device IP, without the need for them to click on it.
A better workaround would be the sender generating a preview but even that has a few threat models that can be abused.
I had assumed these request were proxified, but I didn't realise that would go against E2E. Now I'd like to see an option to disable these previews.