An analysis of the manner in which popular chat applications handle link previews has revealed several privacy and security issues, including some that still need addressing, security researchers warn.
Link previews provide users with information on what a link received in chat would lead them to, regardless of whether it is a file or a web page.
However, link previews can be abused for nefarious purposes, and security researchers Talal Haj Bakry and Tommy Mysk claim to have identified several cases in which popular chat apps for iOS and Android fail to provide their users with the necessary protections against such abuses.
Due to the manner in which link previews are implemented, some applications were found to leak users’ IP addresses, others to leak links that have been sent in conversations encrypted end-to-end, while some would unnecessarily download large amounts of data, even gigabytes, in the background.
The analyzed applications include Discord, Facebook Messenger, Google Hangouts, iMessage, Instagram, LINE, LinkedIn, Reddit, Signal, Slack, Threema, TikTok, Twitter, Viber, WeChat, WhatsApp, and Zoom.
Four of the apps, namely Signal (if the link preview option is turned off in settings), Threema, TikTok, and WeChat, do not generate previews. In iMessage, Signal (if the link preview option is enabled), Viber, and WhatsApp, the previews are generated on the sender’s side.
In Reddit (only in the chat, not when viewing posts and comments), previews are generated by the receiver, before the user taps on the link, which the researchers found to be a major privacy concern, as it may result in the receiver’s IP address being leaked to the sender.
An attacker can obtain a user’s IP address, which can also enable them to obtain an approximate geographical location, by sending them a link that points to a server they control. When the app generates the preview, it needs to connect to the attacker’s server in order to fetch the content, allowing the server to record the victim’s IP.
Reddit has released fixes for the issue. A second chat app was found vulnerable, but the researchers refrained from providing details on it, pending a fix.
In some applications, the previews are generated server-side, with Discord, Facebook Messenger, Google Hangouts, Instagram, LINE, LinkedIn, Slack, Twitter, and Zoom falling in this category. The problem with this approach, the researchers say, is that the server may store a copy of the sent file, which could contain sensitive information.
“Although these servers are trusted by the app, there’s no indication to users that the servers are downloading whatever they find in a link. Are the servers downloading entire files, or only a small amount to show the preview? If they’re downloading entire files, do the servers keep a copy, and if so for how long? And are these copies stored securely, or can the people who run the servers access the copies?” the researchers said.
Another issue that the researchers identified was that many of the analyzed chat applications stored the files on their servers regardless of their size. Specifically, Facebook Messenger and Instagram, both Facebook applications, were found to store entire files on the company’s servers, even if they weigh gigabytes.
This behavior could lead to a server reaching its capacity, which in theory can result in service disruptions. However, Facebook says this is a feature that works as intended.
“As we explained to the researcher weeks ago, these are not security vulnerabilities. The behavior described is how we show previews of a link on Messenger or how people can share a link on Instagram, and we don’t store that data. This is consistent with our data policy and terms of service,” a Facebook spokesperson told SecurityWeek.
Another concerning matter, the researchers say, is the fact that although many of the analyzed apps offer end-to-end encryption, the LINE app finds no issue with sending links from within the encrypted messages to an internal server to generate a preview.
“Well, it appears that when the LINE app opens an encrypted message and finds a link, it sends that link to a LINE server to generate the preview. We believe that this defeats the purpose of end-to-end encryption, since LINE servers know all about the links that are being sent through the app, and who’s sharing which links to whom,” the researchers explain.
SecurityWeek has also reached out to LINE, LinkedIn, and Reddit for comments on the researchers’ findings, but hasn’t received responses by the time of publication.