Security researchers Talal Haj Bakry and Tommy Mysk have published a blog post detailing the security risks that link previews can pose. Almost all messaging apps out there offer link previews and these researchers have explained how this feature can be a serious privacy loophole if not handled properly. They’ve detailed how Instagram and Facebook Messenger have serious loopholes that need to be fixed. In their case study, they found several bugs like leaking of IP addresses, exposing of links sent in end-to-end encrypted chats, and unnecessarily downloading gigabytes of data quietly in the background.
In a blog post, Mysk and Bakry detail how chat apps use different approaches to generate link previews. They detailed that Reddit generates link previews by opening the link automatically even before you tap it. Users only need to see this message on Reddit to trigger this backend programming. This approach could result in malicious attackers getting your IP address that indirectly leads to your location details. The report says that Reddit has already fixed this problem after the researchers contacted them.
Apps like Discord, Facebook Messenger, Google Hangouts, Instagram, Line, LinkedIn, Slack, Twitter, and Zoom use another approach that involves sending the link to an external server to generate a preview. The server will send the preview back to both the sender and receiver. With this approach, the server will need to make a copy of what’s in the link to generate the preview, and that copy could be saved on the server and be misused later.
This approach could be violating the privacy of their users by sending links shared in a private chat to their servers. These links may contain private information intended only for the recipients. This could be bills, contracts, medical records, or anything that may be confidential. Line app was found to be sending end-to-end encrypted (e2ee) links to servers for generating previews, defeating the purpose of e2ee entirely.
While some apps have limitations on the amount of data collected and stored, Instagram and Facebook Messenger do not have any limitations and can download anything no matter the size. The researchers show that Instagram was able to download a link that was 2.7GB in size on multiple Facebook servers. This link was downloaded on eight Facebook servers and roughly 24.7GB of data was downloaded just through that one link shared on Instagram. This is alarming given that most apps have download limitations. Facebook and Instagram both have not yet responded to the notice sent to them by these researchers.
Slack has a download limit of 50MB, while LinkedIn has capped it at 30MB. Even with these limitations, it could lead to privacy breach if these servers are hacked. The researchers mention that an aggregable approach is used by WhatsApp, Signal, iMessage, and Viber where the “app will go and download what’s in the link. It’ll create a summary and a preview image of the website, and it will send this as an attachment along with the link. When the app on the receiving end gets the message, it’ll show the preview as it got from the sender without having to open the link at all. This way, the receiver would be protected from risk if the link is malicious. This approach assumes that whoever is sending the link must trust it, since it’ll be the sender’s app that will have to open the link.” The approach used by most apps of sending links to servers can be misused by threat actors to run potentially malicious code on link previews. WeChat, Threema, and TikTok don’t generate link previews at all, and even Signal has the option to turn it off if you wish to.