Link previews can be used by hackers to expose valuable user information
Oh great, another vulnerability.
Link Preview is probably the single most common feature within most apps we use daily. Whether it is a link to a PDF file, news article, blog post, or YouTube video, we get a preview of the link anytime we hover over a particular link. From the preview, we can tell what’s the link about as we can read its headline. Usually, it comes with a preview image. We get to see all of that even without hitting the link.
That’s all very convenient, and everyone takes it for granted.
However, most people don’t realize that link previews present potential privacy and security risks. A single link preview can expose sensitive data, drain your battery, or even reveal personal data in chats that are supposed to be covered by end-to-end encryption.
Tommy Mysk and Talal Haj Bakry conducted the research. In the research, they revealed that messengers from Instagram and Facebook were among the worst offenders, followed by Line and LinkedIn messengers.
To have a better grasp of the subject we need to understand link previews and the mechanisms behind them
The app or a proxy assigned by the app needs to go to the link, open that file, and check out what is in it to see the link preview. That’s a lot of steps that make the user vulnerable to possible attacks.
As a result, the user risks downloading malware, draining the battery, app crashes, and so on. In some instances, even malicious software consumes the user’s bandwidth. In one scenario, the malicious software might find its way to personal data such as a bank account number posted on a private Dropbox or OneDrive account.
Both Instagram and Facebook support teams denied the claims, but Mysk and Bakry clearly demonstrated that in their video presentations.
Apps with messaging features like LinkedIn, Zoom, Slack, Google Hangout, and Discord copied files as well, but they limit the size of the amount of data they download on their preview servers. In most cases, the size of the data is capped at 15 to 50 MB per download. That’s still something to worry about, but not as massive of an intrusion as Instagram and Facebook Messenger apps.
It’s also noteworthy that certain messaging apps are aware of this. They also give their users the option to receive links without a preview. For instance, users of WeChat, TikTok, Threema, and Signal, can opt to receive links without a preview.
- Facebook gained a bunch of users during COVID-19, but now people are leaving
- If you absolutely need to, Instagram will let you go live for up to four hours
- TikTok is now the second-most popular social app in the US, overtaking Instagram
- Twitter is encouraging US users to vote early with hashtags and emojis