Connect with us


Link previews can be used by hackers to expose valuable user information

Oh great, another vulnerability.

spam calls on a smartphone
Image: Unsplash

Link Preview is probably the single most common feature within most apps we use daily. Whether it is a link to a PDF file, news article, blog post, or YouTube video, we get a preview of the link anytime we hover over a particular link. From the preview, we can tell what’s the link about as we can read its headline. Usually, it comes with a preview image. We get to see all of that even without hitting the link.

That’s all very convenient, and everyone takes it for granted.

However, most people don’t realize that link previews present potential privacy and security risks. A single link preview can expose sensitive data, drain your battery, or even reveal personal data in chats that are supposed to be covered by end-to-end encryption.

Tommy Mysk and Talal Haj Bakry conducted the research. In the research, they revealed that messengers from Instagram and Facebook were among the worst offenders, followed by Line and LinkedIn messengers.

To have a better grasp of the subject we need to understand link previews and the mechanisms behind them

The app or a proxy assigned by the app needs to go to the link, open that file, and check out what is in it to see the link preview. That’s a lot of steps that make the user vulnerable to possible attacks.

As a result, the user risks downloading malware, draining the battery, app crashes, and so on. In some instances, even malicious software consumes the user’s bandwidth. In one scenario, the malicious software might find its way to personal data such as a bank account number posted on a private Dropbox or OneDrive account.

The research was more about a set of tests that revealed how messenger apps dealt with previews. As mentioned earlier, Instagram and Facebook messengers showed to be quite vulnerable as they freely run the JavaScript within the preview link. Instagram even downloaded 2GB of content hidden in the preview image link.

Both Instagram and Facebook support teams denied the claims, but Mysk and Bakry clearly demonstrated that in their video presentations.

Apps with messaging features like LinkedIn, Zoom, Slack, Google Hangout, and Discord copied files as well, but they limit the size of the amount of data they download on their preview servers. In most cases, the size of the data is capped at 15 to 50 MB per download. That’s still something to worry about, but not as massive of an intrusion as Instagram and Facebook Messenger apps.

It’s also noteworthy that certain messaging apps are aware of this. They also give their users the option to receive links without a preview. For instance, users of WeChat, TikTok, Threema, and Signal, can opt to receive links without a preview.

What do you think? Are you surprised that link previews can present these types of risks? Let us know down below in the comments or carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

More in News