Link preview creates new security risks in messaging apps that cause the services to leak IP addresses and expose links sent via end-to-end encrypted chats.
Link preview creates new security risks in messaging apps that cause the services to leak IP addresses and expose links sent via end-to-end encrypted chats. It even allows to unnecessarily download gigabytes of data stealthily in the background.
“Links shared in chats may well incorporate non-public information meant only for the recipients,” said researchers Talal Haj Bakry and Tommy Mysk.
“This could be charges, contracts, health care information, or just about anything that may well be private.”
“Applications that count on servers to make connection previews may be violating the privacy of their consumers by sending one-way links shared in a non-public chat to their servers.”
Link preview
Most of the chat apps have a feature called link preview, where it displays a visual preview and a short description of the shared link.
Even though apps like Signal and Wire allow users to turn on/off link previews, some others like Threema, Tik Tok, and WeChat don’t generate a link preview at all.
The apps that allow the link preview do so either at sender’s end or recipient’s end or using an external server that’ then sent back to both the sender and receiver.
What happens in sender-side link previews?
Sender-side ink previews are used in Apple message, Viber, Signal (if the setting is on) and Facebook’s WhatsApp. Here the link is downloaded, followed by creating the preview image and summary, which is then sent to the recipient as an attachment. When the app on the other side receives the preview, it just displays the message without opening the link.
"This approach assumes that whoever is sending the link must trust it since it'll be the sender's app that will have to open the link," said the researchers.
What is a recipient-side link preview?
The links produced on the recipient part opens up the door to new traps that allow a bad actor to gauge their approximate location without any action taken by the receiver by merely sending a link to a server under their control.
This happens because as soon as the messaging app receives a message with a link, it opens the URL automatically to create the preview by disclosing the phone's IP address in the request sent to the server.
According to the researchers, Reddit Chat and an undisclosed app which is “in the process of fixing the issue, ” we're found to follow this approach.
Link previews generated using an external server
Apps like Facebook Messenger, Instagram, Zoom, Google Hangouts, LinkedIn, Twitter, LINE and Slack fall into this category. Here, “the servers are downloading whatever they find in a link, ” without any indication to users.
While testing these applications, it was found that all the apps excluding Facebook Messenger and Instagram, imposed a 15-50 MB cap to download the data files from their respective server.
Fb Messenger and Instagram were found to download full information, even if they ran into gigabytes in measurement (this kind of as a 2.6GB file), which, according to Fb, is a supposed function.
Even then, the scientists warn, this could be a “privacy nightmare” if the servers retain a duplicate and “you can find an information breach of these servers ever.”
The development led Apple to introduce a new location in iOS 14 that alerts users every time an app attempts to copy clipboard data, along with introducing new authorization that shields clipboard from unwarranted entry by 3rd-party applications.
“We think you can find just one big takeaway here for builders: Whenever you are creating a new feature, normally continue to keep in mind what form of privacy and security implications it may well have, specifically if this function is going to be employed by countless numbers or even hundreds of thousands of folks about the planet.”
“Backlink previews are a nice feature that buyers commonly gain from, but listed here and we’ve showcased the huge array of difficulties this attribute can have when privacy and security fears are not thoroughly regarded.”
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?