Link previews in chat apps could be privacy risk, warns cybersecurity specialist

The way that some apps generate link previews could expose users to privacy risks and potentially waste gigabytes of mobile data. — AFP

The way link previews are created in messaging apps could expose users to privacy and security risks, and potentially even waste gigabytes of mobile data if not done properly, warned cybersecurity researchers.

In a report titled ‘Link Previews: How A Simple Feature Can Have Privacy And Security Risks’, researchers Tommy Mysk and Talal Haj Bakry found that the feature came with unexpected vulnerabilities, from exposing users’ IP addresses and running malicious code to unnecessarily downloading excessive amounts of data and draining device battery.

Link Previews are summaries that chat apps generate to give users an idea of where a link leads to, which is created when people share links to websites and articles, or documents like PDFs and Word files.

Mysk explained that apps generally downloaded some information from the link or document in order to generate a preview, which caused the problems.

He said the process required the app to connect to the server containing the data in the link, which revealed the user device’s IP address, which could then be used to determine a user’s location.

“Not only that, this approach can also be a problem if the link points to a large file, like a video or a zip file. A buggy app might try to download the whole file, even if it’s gigabytes in size, causing it to use up your phone’s battery and data plan,” he added.

Apps, including Instagram and LinkedIn, also sometimes run Java Code from the links they were previewing, which Mysk points out can subject users to malicious code.

He said the safest method was not to generate a link preview, as was done by Signal, Threema, TikTok and WeChat.

Some apps – like iMessage, Viber and WhatsApp – generate a summary and preview image of the website on the sender’s phone, and then send the link preview as an attachment together with the link. This approach only reveals the sender’s IP address and avoids automatically running potentially malicious code on the recipient’s device.

He said the most problematic method was to generate a preview on the receiver’s app, which opens the link automatically as soon as the user sees the message.

“If you’re using an app that follows this approach, all an attacker would have to do is send you a link to their own server... Your app will happily open the link even without you tapping on it,” Mysk said.

A third method was for an external server to generate the preview, which removes the risks associated with either sender or receiver previewing the link.

However, this meant an external party would have access to, and need to make a copy of, the contents of the link in order to generate the preview.

Mysk questioned the security practices and lack of privacy safeguards involved in this method, especially for sensitive information, due to the fact the server may hold on to its copies of the content for an indeterminate period.

“If these servers do keep copies, it would be a privacy nightmare if there’s ever a data breach of these servers. This is especially a concern for business apps like Zoom and Slack,” he said.

He added that this method was used by many messaging apps including Facebook Messenger, Google Hangouts, Instagram, Discord, Twitter and Zoom.

The team points out a separate problem where the amount of data downloaded varied greatly between apps, and said that if the file was too large it would crash the app.

While most apps have a cap of between 15MB to 50MB for downloads, Facebook Messenger and its subsidiary Instagram would download the entire file if it was a picture or video, even if it was several GB in size.

When contacted, Facebook told Mysk the feature was working as intended. He added that all apps mentioned were contacted about the issues, with several already taking steps to fix them.

Article type: metered
User Type: anonymous web
User Status:
Campaign ID: 18
Cxense type: free
User access status: 3

Did you find this article insightful?


100% readers found this article insightful

Next In Tech News

China tops world in AI patent filings, surpassing the US for the first time
SAIC Motor, an early adopter of the smart car, sets up US$1bil fund to invest in Internet-linked vehicles with Alibaba
Greece puts faith in online schooling
PDRM: Fake Bank Negara apps and websites cost victims RM5.2mil in losses
Amazon unions from Brazil to Germany plan Black Friday protests
Black Friday offers beacon of hope to struggling US stores
Man Utd working with cyber agency after ‘disruptive’ attack
Dating apps see matches bloom in India
US teens develop sanitising drone to help clean school during pandemic
UK to launch new watchdog next year to police tech giants

Stories You'll Enjoy