Cybersecurity researchers over the weekend disclosed new security risks associated with link previews in popular messaging apps that cause the services to leak IP addresses, expose links sent via end-to-end encrypted chats, and even unnecessarily download gigabytes of data stealthily in the background.
"Links shared in chats may contain private information intended only for the recipients," researchers Talal Haj Bakry and Tommy Mysk said.
"This could be bills, contracts, medical records, or anything that may be confidential."
"Apps that rely on servers to generate link previews may be violating the privacy of their users by sending links shared in a private chat to their servers."
Generating Link Previews at the Sender/Receiver Side
Link previews are a common feature in most chat apps, making it easy to display a visual preview and a brief description of the shared link.
Although apps like Signal and Wire give users the option to turn on/off link previews, a few others like Threema, TikTok, and WeChat don't generate a link preview at all.
The apps that do generate the previews do so either at the sender's end or the recipient's end or using an external server that's then sent back to both the sender and receiver.
Sender-side link previews — used in Apple iMessage, Signal (if the setting is on), Viber, and Facebook's WhatsApp — works by downloading the link, followed by creating the preview image and summary, which is then sent to the recipient as an attachment. When the app on the other end receives the preview, it displays the message without opening the link, thus protecting the user from malicious links.
"This approach assumes that whoever is sending the link must trust it, since it'll be the sender's app that will have to open the link," the researchers said.
In contrast, link previews generated on the recipient side opens the door to new risks that permits a bad actor to gauge their approximate location without any action taken by the receiver by simply sending a link to a server under their control.
This happens because the messaging app, upon receiving a message with a link, opens the URL automatically to create the preview by disclosing the phone's IP address in the request sent to the server.
Reddit Chat and an undisclosed app, which is "in the process of fixing the issue," were found to follow this approach, per the researchers.
Using an External Server to Generate Link Previews
Lastly, the use of an external server to generate previews, while preventing the IP address leakage problem, creates new issues: Does the server used to generate the preview retain a copy, and if so, for how long, and what do they use it for?
Several apps, counting Discord, Facebook Messenger, Google Hangouts, Instagram, LINE, LinkedIn, Slack, Twitter, and Zoom, fall into this category, with no indication to users that "the servers are downloading whatever they find in a link."
Testing these apps revealed that except for Facebook Messenger and Instagram, all others imposed a 15-50 MB cap when it comes to the files downloaded by their respective servers. Slack, for instance, caches link previews for around 30 minutes.
The outliers, Facebook Messenger and Instagram, were found to download entire files, even if they ran into gigabytes in size (such as a 2.6GB file), which according to Facebook, is an intended feature.
Even then, the researchers warn, this could be a "privacy nightmare" if the servers do retain a copy and "there's ever a data breach of these servers."
What's more, despite LINE's end-to-end encryption (E2EE) feature designed to prevent third-parties from eavesdropping on conversations, the app's reliance on an external server to generate link previews allows "the LINE servers [to] know all about the links that are being sent through the app, and who's sharing which links to whom."
LINK has since updated its FAQ to reflect that "in order to generate URL previews, links shared in chats are also sent to LINE's servers."
In a separate case, the researchers also discovered it was possible to potentially execute malicious code on link preview servers, resulting in a JavaScript code link shared on Instagram or LinkedIn to cause their servers to run the code.
"We tested this by sending a link to a website on our server which contained JavaScript code that simply made a callback to our server," they said. "We were able to confirm that we had at least 20 seconds of execution time on these servers."
Keeping in Mind the Privacy and Security Implications
Bakry and Mysk have previously exposed flaws in TikTok that made it possible for attackers to display forged videos, including those from verified accounts, by redirecting the app to a fake server hosting a collection of forged videos. Earlier this March, the duo also uncovered a troubling privacy grab by over four dozen iOS apps that were found to access users' clipboards without users' explicit permission.
The development led Apple to introduce a new setting in iOS 14 that alerts users every time an app tries to copy clipboard information, alongside adding new permission that protects clipboard from unwarranted access by third-party apps.
"We think there's one big takeaway here for developers: Whenever you're building a new feature, always keep in mind what sort of privacy and security implications it may have, especially if this feature is going to be used by thousands or even millions of people around the world."
"Link previews are nice a feature that users generally benefit from, but here and we've showcased the wide range of problems this feature can have when privacy and security concerns aren't carefully considered."