The way link previews are created in messaging apps could expose users to privacy and security risks, and potentially even waste gigabytes of mobile data if not done properly, warned cybersecurity researchers.
In a report titled ‘Link Previews: How A Simple Feature Can Have Privacy And Security Risks’, researchers Tommy Mysk and Talal Haj Bakry found that the feature came with unexpected vulnerabilities, from exposing users’ IP addresses and running malicious code to unnecessarily downloading excessive amounts of data and draining device battery.
Link Previews are summaries that chat apps generate to give users an idea of where a link leads to, which is created when people share links to websites and articles, or documents like PDFs and Word files.
Mysk explained that apps generally downloaded some information from the link or document in order to generate a preview, which caused the problems.
He said the process required the app to connect to the server containing the data in the link, which revealed the user device’s IP address, which could then be used to determine a user’s location.
“Not only that, this approach can also be a problem if the link points to a large file, like a video or a zip file. A buggy app might try to download the whole file, even if it’s gigabytes in size, causing it to use up your phone’s battery and data plan,” he added.
Apps, including Instagram and LinkedIn, also sometimes run Java Code from the links they were previewing, which Mysk points out can subject users to malicious code.
He said the safest method was not to generate a link preview, as was done by Signal, Threema, TikTok and WeChat.
Some apps – like iMessage, Viber and WhatsApp – generate a summary and preview image of the website on the sender’s phone, and then send the link preview as an attachment together with the link. This approach only reveals the sender’s IP address and avoids automatically running potentially malicious code on the recipient’s device.
He said the most problematic method was to generate a preview on the receiver’s app, which opens the link automatically as soon as the user sees the message.
“If you’re using an app that follows this approach, all an attacker would have to do is send you a link to their own server... Your app will happily open the link even without you tapping on it,” Mysk said.
A third method was for an external server to generate the preview, which removes the risks associated with either sender or receiver previewing the link.
However, this meant an external party would have access to, and need to make a copy of, the contents of the link in order to generate the preview.
Mysk questioned the security practices and lack of privacy safeguards involved in this method, especially for sensitive information, due to the fact the server may hold on to its copies of the content for an indeterminate period.
“If these servers do keep copies, it would be a privacy nightmare if there’s ever a data breach of these servers. This is especially a concern for business apps like Zoom and Slack,” he said.
He added that this method was used by many messaging apps including Facebook Messenger, Google Hangouts, Instagram, Discord, Twitter and Zoom.
The team points out a separate problem where the amount of data downloaded varied greatly between apps, and said that if the file was too large it would crash the app.
While most apps have a cap of between 15MB to 50MB for downloads, Facebook Messenger and its subsidiary Instagram would download the entire file if it was a picture or video, even if it was several GB in size.
When contacted, Facebook told Mysk the feature was working as intended. He added that all apps mentioned were contacted about the issues, with several already taking steps to fix them.