Security researchers Talal Haj Bakry and Tommy Mysk published a blog post detailing the possible security risks of link previews. Almost all messaging applications provide link previews, and these researchers have explained that if this feature is not handled correctly, it will be a serious privacy vulnerability. They detailed how Instagram and Facebook Messenger have serious vulnerabilities that need to be fixed. In their case studies, they found several errors, such as IP address leaks, exposure of links sent in end-to-end encrypted chats, and unnecessarily silent downloads of gigabytes of data in the background.
Mysk and Bakry detailed in their blog post how the chat application uses different methods to generate link previews. They detailed that Reddit generates link previews by automatically opening the link even before you click the link. Users only need to see this message on Reddit to trigger this back-end programming. This method may cause malicious attackers to obtain your IP address, which indirectly leads to your location details. The report says that Reddit has resolved the issue after researchers contacted them.
Apps such as Discord, Facebook Messenger, Google Hangouts, Instagram, Line, LinkedIn, Slack, Twitter, and Zoom use another method, which involves sending a link to an external server to generate a preview. The server sends the preview back to the sender and receiver. Using this method, the server will need to copy the content in the link to generate a preview, and the copy can be saved on the server and abused later.
By sending the link shared in the private chat to its server, this method may violate the user’s privacy. These links may contain private information for the recipient’s use only. This could be bills, contracts, medical records or any confidential information. It is found that the Line app is sending an end-to-end encrypted (e2ee) link to the server to generate a preview, which completely defeats the purpose of e2ee.
Although some applications have restrictions on the amount of data collected and stored, Instagram and Facebook Messenger do not have any restrictions, and any content can be downloaded regardless of their size. Researchers have shown that Instagram can download 2.7GB links on multiple Facebook servers. The link has been downloaded to eight Facebook servers, and about 24.7GB of data has been downloaded through just one link shared on Instagram. Given that most apps have download restrictions, this is shocking. Facebook and Instagram have not yet responded to the notices sent to them by these researchers.
Slack’s download limit is 50MB, while LinkedIn’s download limit is 30MB. Even with these restrictions, if these servers are hacked, it may also lead to privacy leakage. The researchers mentioned that WhatsApp, Signal, iMessage, and Viber use an agglutinable method, in which “the app will run and download the content in the link. It will create a summary and preview image of the website and send it to as Attachment and link are used together. When the receiving application receives the message, it will display the preview obtained from the sender without opening the link completely. This way, the recipient can be protected from risk. If the link is malicious, this method assumes Anyone sending the link must trust it because it will be the sender’s application and the link must be opened.” Threat actors may abuse the way most applications send links to the server to run potential in the link preview Malicious code. WeChat, Threema and TikTok will not generate link previews at all, and even Signal can choose to close it.