top | item 39202549

(no title)

mbwgh | 2 years ago

Even Firefox will in general not protect you I believe.

I showed my mom how she can use 'web.whatsapp.com' to use Whatsapp more easily (in order to share screenshots or links with others).

After logging in, a notification about Whatsapp having been installed from the app store popped up after a few seconds. And indeed, the Desktop app had been installed, without any user interaction whatsoever.

I am not even sure how this was initiated, but I believe DoH being disabled by default probably has to do with it.

Edit: Like a lot of comments have suggested, I most likely remember this wrong. I tried to reproduce this (after "forgetting about" whatsapp.com in Firefox and uninstalling the app) and was unable to. I did encounter three separate "install the app" buttons, all of which however yielded an additional installation prompt from the app store.

Apologies.

FWIW, according to https://developer.mozilla.org/en-US/docs/Web/Progressive_web... Firefox does not support PWAs without an extension, so that wasn't it either.

discuss

archerx|2 years ago

Sounds like a progressive web app, they probably trick you into triggering the pwa install command.

jeroenhd|2 years ago

I don't think it's a PWA if she was using Firefox, because Firefox removed the little PWA functionality their desktop browser offered a while ago (this is one of the reasons I still have Chromium installed).

I imagine during the process, WhatsApp opened an ms-store: link that launched the Microsoft Store, and not knowing better, they clicked "install" when prompted.

The desktop app has some features that the web browser version lacks, like video calling support, so I would argue the desktop app is probably what you would want to use as a WhatsApp user, but it's rather annoying that web apps are pushing so hard for people to install desktop applications when their web apps could have the same features if they bothered implementing them in a non-Electron environment.

wkat4242|2 years ago

I don't think DNS has anything to do with this whatsoever :)

Even if it returned a different IP it would have to be verified by TLS. And it wouldn't affect what the browser is capable of doing. That even being possible would be a huge vulnerability. DoH is more of a privacy feature than security.

It's a weird thing and hard to understand without more details but like the other reply I think it may be a PWA.

mbwgh|2 years ago

My (uninformed and probably misguided) idea was that there was a host DNS service (responsible e.g. for resolving local domain names) which would cause Windows itself to trigger some rule when 'web.whatsapp.com' is encountered.

But yeah, the PWA thing seems more plausible, even though I was not aware of any install prompt or similar.

I would need to read up on PWA, and there seems to be a LOT unfortunately.

lakpan|2 years ago

Things that did not happen.

FirmwareBurner|2 years ago

> And indeed, the Desktop app had been installed, without any user interaction whatsoever.

Highly unlikely it just happened out of the blue without any user interaction at all. Stuff like this would be all over the news. Tech tabloids would love farming clickbaits with FUD like this.

You definitely clicked on something that accepts/triggers the installation and you don't remember doing it.

krige|2 years ago

That's probably because you can't "log in to whatsapp" from that address - you can only download and install the app and the site is very explicit about that.

fauigerzigerk|2 years ago

>That's probably because you can't "log in to whatsapp" from that address - you can only download and install the app and the site is very explicit about that.

No, that's not true. You can log in and use WhatsApp from that address. Only voice calls require downloading an app (at least on Mac).

nottorp|2 years ago

You can. web.whatsapp.com shows you a QR that you scan with the app on your phone and you're logged in.

At least on platforms where they can't trick you into installing the app.