Adam Wołk

Even worse: the app does the lookups itself, not via a proxy or a service. You get both the user's IP and the user-agent (via og:image).

Using a proxy would be much worse because that proxy could collect all the information, thus breaking the e2e.

doing a GET request over the internet is already violating e2e - a site can be a third party.

That is correct (although you probably visited the link you're sharing anyway). And the fetch-as-you-type takes it to a new level.

Once more for the stupids, please: what does this mean?

That WhatsApp (Facebook) leaks info about what you're typing to server admins, which could actually be private stuff… Not good privacy.

Not only that, but it also means that they try to access (and maybe parse, record and store) ANY web link you're sending through it

It also allows metadata analysis of who communicates with who. For unique URL's you can time when it was sent and from where visited.

Not only timing for the request itself, but also for each keystroke of the URL being typed, including backspacing! Big implications I think

Since this breaks the pretty fundamental assumption that typing something in an input field and then erasing it, well, doesn't transmit it…

and to put this in perspective: they'd actually make additional effort to make this happen, ie: it's extremely creepy "feature" not mistake

my comment can be found hidden in your web server logs.

I didn't get it. Why ur server? How can u see this data on ur server.?

It's my blog, on my own server, a WhatsApp user entered a URL to my post in a chat and WhatsApp went in to grab the post (off my server).