Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Link Previews in Chat Apps Pose Privacy, Security Issues: Researchers

An analysis of the manner in which popular chat applications handle link previews has revealed several privacy and security issues, including some that still need addressing, security researchers warn.

Link previews provide users with information on what a link received in chat would lead them to, regardless of whether it is a file or a web page.

An analysis of the manner in which popular chat applications handle link previews has revealed several privacy and security issues, including some that still need addressing, security researchers warn.

Link previews provide users with information on what a link received in chat would lead them to, regardless of whether it is a file or a web page.

However, link previews can be abused for nefarious purposes, and security researchers Talal Haj Bakry and Tommy Mysk claim to have identified several cases in which popular chat apps for iOS and Android fail to provide their users with the necessary protections against such abuses.

Due to the manner in which link previews are implemented, some applications were found to leak users’ IP addresses, others to leak links that have been sent in conversations encrypted end-to-end, while some would unnecessarily download large amounts of data, even gigabytes, in the background.

The analyzed applications include Discord, Facebook Messenger, Google Hangouts, iMessage, Instagram, LINE, LinkedIn, Reddit, Signal, Slack, Threema, TikTok, Twitter, Viber, WeChat, WhatsApp, and Zoom.

Four of the apps, namely Signal (if the link preview option is turned off in settings), Threema, TikTok, and WeChat, do not generate previews. In iMessage, Signal (if the link preview option is enabled), Viber, and WhatsApp, the previews are generated on the sender’s side.

In Reddit (only in the chat, not when viewing posts and comments), previews are generated by the receiver, before the user taps on the link, which the researchers found to be a major privacy concern, as it may result in the receiver’s IP address being leaked to the sender.

An attacker can obtain a user’s IP address, which can also enable them to obtain an approximate geographical location, by sending them a link that points to a server they control. When the app generates the preview, it needs to connect to the attacker’s server in order to fetch the content, allowing the server to record the victim’s IP.

Advertisement. Scroll to continue reading.

Reddit has released fixes for the issue. A second chat app was found vulnerable, but the researchers refrained from providing details on it, pending a fix.

In some applications, the previews are generated server-side, with Discord, Facebook Messenger, Google Hangouts, Instagram, LINE, LinkedIn, Slack, Twitter, and Zoom falling in this category. The problem with this approach, the researchers say, is that the server may store a copy of the sent file, which could contain sensitive information.

“Although these servers are trusted by the app, there’s no indication to users that the servers are downloading whatever they find in a link. Are the servers downloading entire files, or only a small amount to show the preview? If they’re downloading entire files, do the servers keep a copy, and if so for how long? And are these copies stored securely, or can the people who run the servers access the copies?” the researchers said.

Another issue that the researchers identified was that many of the analyzed chat applications stored the files on their servers regardless of their size. Specifically, Facebook Messenger and Instagram, both Facebook applications, were found to store entire files on the company’s servers, even if they weigh gigabytes.

This behavior could lead to a server reaching its capacity, which in theory can result in service disruptions. However, Facebook says this is a feature that works as intended.

“As we explained to the researcher weeks ago, these are not security vulnerabilities. The behavior described is how we show previews of a link on Messenger or how people can share a link on Instagram, and we don’t store that data. This is consistent with our data policy and terms of service,” a Facebook spokesperson told SecurityWeek.

Another concerning matter, the researchers say, is the fact that although many of the analyzed apps offer end-to-end encryption, the LINE app finds no issue with sending links from within the encrypted messages to an internal server to generate a preview.

“Well, it appears that when the LINE app opens an encrypted message and finds a link, it sends that link to a LINE server to generate the preview. We believe that this defeats the purpose of end-to-end encryption, since LINE servers know all about the links that are being sent through the app, and who’s sharing which links to whom,” the researchers explain.

They also underline the fact that chat apps should avoid running JavaScript code when generating previews, as malicious websites may abuse this for nefarious purposes. In LinkedIn’s case, the researchers were able to leverage such code to bypass the app’s limit of downloading 50 MB of a file when generating the preview.

SecurityWeek has also reached out to LINE, LinkedIn, and Reddit for comments on the researchers’ findings, but hasn’t received responses by the time of publication.

Related: Privacy Fears Raised Over Facebook Messaging Apps Integration

Related: Vulnerability in WhatsApp Allows Attackers to Crash Group Chats

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...