The link previews of many messaging and chat mobile apps on both iOS and Android pose significant security and privacy risks, according to two researchers.
Facebook Messenger, Instagram, Line, and LinkedIn are listed as the worst offenders, while several other apps are too bad to even mention until their flaws are fixed.
"Link previews in chat apps can cause serious privacy issues if not done properly," researchers Talal Haj Bakry and Tommy Mysk wrote in a report posted online earlier this week.
"We found several instances of apps vulnerable to IP address compromise, exposure of links sent in end-to-end encrypted chats, and silently and unnecessarily downloading gigabytes of data in the background.
Some of the app's preview features drained smartphone batteries. Others allowed malware to run on remote servers of user devices or app services. Many others leaked user information that was supposed to be private.
"The link previews are a good case study of how simple features can carry privacy and security risks," the researchers wrote.
Facebook Messenger, Instagram, and LinkedIn were singled out as high-risk practices, but these risks affected the servers of these companies, not end users.
Line created the worst privacy risk of the apps listed, but several parts of the report were blacked out because they involved apps where the problem was more severe and had not been fixed.
The researchers listed 16 apps for investigation. In addition to the four already named, 12 were Discord, Google Hangouts, iMessage, Slack, Signal, Threema, TikTok, Twitter, Viber, WeChat, WhatsApp, and Zoom.
Reddit's name was not in the investigation report, but it was included in a chart of investigated apps posted on Ars Technica, which noted that the problem had been fixed. Reddit was not included in the same chart in the actual investigation report.
Several other prominent messaging/chat apps, including Kik, Microsoft Teams, Skype, Snapchat, Telegram, Wickr Me, and Wire were not investigated or at least not named. We will keep an eye on this report to see if these apps are among the worst offended.
To avoid the risk of link previews, use messaging apps that do not preview links at all, such as Threema, TikTok, and WeChat, or with minimal risk, such as Apple iMessage, Viber, WhatsApp apps that do link previews with minimal risk, such as Apple iMessage, Viber, and WhatsApp.
Signal falls into both camps, as link previews can be turned off in the settings.
Link previews are snapshots of what is on the other side of a web link sent by someone else. You do not have to click on the link to see it.
A link preview usually consists of a thumbnail of the first image on the web page and the first few lines of text on the page. This is an example from a Slack chat used in Tom's Guide.
Although it seems simple, there are actually three different ways to display a preview in a chat or message application. Each has its own level of danger.
In the first and safest method, the message sender's app creates a preview of the link and sends it along with the link itself. In other words, if your friend Frances uses iMessage to send you a link to a page on TomsGuide.com, iMessage on her iPhone will package a small preview of the Tom's Guide page and bundle it into the link message.
"This approach assumes that whoever is sending the link must trust the link.
Messaging apps such as Apple's iMessage, Viber, WhatsApp, and even Signal, which enables link previews, use this method.
The second method is much more dangerous. In this case, the sender's message contains only a link, and the app on the message recipient's device must open the link and generate a link preview before the recipient can click the link.
Whether or not the link is opened, the messaging app loads the web page in the background, which may contain malicious content or code. The other side's server will know your phone's IP address and possibly even your physical location.
In other words, if your mischievous cousin Evil Jake wants to make fun of you, he can send you a link to a malicious site known for hacking the messaging service you both use. All you have to do is look at the message.
Bakry and Mysk did not name the app that does this. At least two of these apps automatically download large files with preview links, consuming bandwidth, data plans, and batteries.
The third and most common method involves the messaging provider's servers. Services that use this method include Discord, Facebook Messenger, Google Hangouts, Instagram, Line, LinkedIn, Slack, Twitter, and Zoom, plus others that Bakry and Mysk do not name.
When a message sender embeds a link in a message, a remote server managed by the messaging provider generates a preview and sends it to both the message sender and the message recipient.
This ensures that the message recipient's cell phone will not run malware or download a huge file, but the servicing provider's server may do both.
Bakry and Mysk posted a video on YouTube showing how two Instagram messages caused Facebook's servers to download two dozen gigabytes of data and run JavaScript embedded in the linked web page. LinkedIn's servers also ran the JavaScript.
The server-in-the-middle configuration also poses privacy risks. When the sender of a message sends a private document (e.g., a Google Doc) to a recipient, the service provider's server downloads at least part of the Google Doc to generate a preview.
The service provider's staff can view at least part of the document in the Google Doc as long as the data is retained. For example, Slack told researchers that data is only retained for 30 minutes.
It also matters how much data the server uses from embedded links. In most cases, they only use between the first 15 and 50 MB that appear on the page.
However, Facebook Messenger and Instagram load unlimited data, so the researchers had Instagram's server download multiple copies of a 2.7 GB Ubuntu Linux installation file when it was linked in the message.
Bakry and Mysk contacted the messaging service provider where they discovered security and privacy issues. [Line has fixed one of the problems; Zoom said it is looking into the issue. Facebook, however, stated that what Bakry and Mysk observed on Messenger and Instagram was not actually a problem, and no response was received from Discord, Google, or LinkedIn by the time the researchers posted their report.
"Because we are only two people, conducting this research in our spare time, we could only cover a small fraction of the millions of apps out there," they concluded.
"There are email apps, business apps, dating apps, games with built-in chat, and many other types of apps that may be improperly generating link previews and are vulnerable to some of the issues discussed here.
.
Comments