Reading through these vulnerabilities, it feels like a handful of these are low priority or non-issues. This might be a controversial opinion, but it’s not clear to me why these issues ought to be prioritized and fixed expediently.
For example, it’s not clear to me why an IP address leak is considered problematic. And breaking chat or crashing on reload seems more akin to a bug a la iMessage link bugs like https://www.theverge.com/2018/1/18/16904774/ios-iphone-bug-c.... That type of issue should be fixed, but it’s not a vulnerability that’s meaningfully exploitable for either remote code execution, stealing client credentials, or stealing client data.
The IP leak one is really interesting to me. Considering the quip regarding the fact that centralized servers are performing the link preview operation because it's not using E2E encryption... But if it was, and the client machine was generating the preview, then wouldn't that force exposure of the client's IP to the remote server?
Yes, these are the tradeoffs between client side and server side link previews. (If the sending client does it, they could lie; if the receiving client does it it's a privacy leak and attack surface increase; if the server does it then it sees private data.)
For example, it’s not clear to me why an IP address leak is considered problematic. And breaking chat or crashing on reload seems more akin to a bug a la iMessage link bugs like https://www.theverge.com/2018/1/18/16904774/ios-iphone-bug-c.... That type of issue should be fixed, but it’s not a vulnerability that’s meaningfully exploitable for either remote code execution, stealing client credentials, or stealing client data.