Link previews are a ubiquitous feature found in almost every chat and messaging app for good reason. Online conversations become easier to maintain by providing images and text associated with the attached file.
Unfortunately, link previews can leak data, consume limited bandwidth, drain batteries, and expose links in chats that should be end-to-end encrypted.
Such criminals included Facebook, Instagram, LinkedIn and Line messaging, according to him a study.
How do link previews work?
When a sender includes a link in a message, the application will display the conversation along with the text (usually a title) and images that accompany the link.
For this to happen, the application itself – or a proxy designated by the application – must visit the link, open the file there and analyze what it contains. This can be an exposure of users to cyber attacks.
The most severe are those that can download malware. Other forms could be forcing an application to download files that are large enough to block the application, drain the batteries, or consume limited amounts of bandwidth.
If the link leads to private material – say, a tax return posted to a private OneDrive or DropBox account – the application server has the ability to view and store it indefinitely.
What applications expose you to such risks?
Talal Haj Bakry and Tommy Mysk, the researchers behind the report, found that Facebook Messenger and Instagram were the messaging applications most frequently involved in such actions.
Both applications download and copy a fully connected file – even if it’s a gigabyte in size. This can be a problem especially if the file is something that users want to keep private.
Haj Bakry and Mysk reported their findings to Facebook, and the company said both applications work according to the rules.
In the case of LinkedIn, the security issues were less serious. The difference was that instead of copying files of any size, it only copied the first 50 megabits.
Meanwhile, when Line opens an encrypted message and finds a link, it appears to send the link to the Line server to generate a preview.
“We believe this violates the purpose of end-to-end encryption, because Line servers know everything about the links that are sent through the application and information about who sends what links to whom,” wrote Haj Bakry and Mysk.
Discord, Google Hangouts, Slack, Twitter and Zoom also copy files, but limit the amount of data from 15 MB to 50 MB. The chart below provides a comparison of each application in the study.
At the opposite end, however, The study reveals that many applications they do things right. For example, Signal, Threema, TikTok and WeChat give all users the option to not receive link previews.
For truly sensitive messages and users who want as much privacy as possible, this is the perfect setting.