Link Previews in Messaging Apps Leak Personal Data

Via SecurityWeek

Security researchers have analyzed the most popular messaging apps used on Android and iOS devices and warn that generated link previews leak potentially sensitive data and encrypted messages, and may burden phones with large data downloads.

The Issue

Link previews are generated when someone sends a link on a messaging app—the intention is show the recipient some information about the link before they click on it.

However, depending on how messaging apps treat link previews, the recipient of those links may accidentally be leaking information. For example, if a someone sends a link that would capture the IP address of someone who clicked on it, they may be able to get the recipient’s IP address even without a link, if the link preview is generated on the recipient’s side (because both parties will see the link preview)

If the preview is generated on the sender’s side, the sender won’t be able to capture your IP address, because the link preview generated isn’t using any information from the recipient.

On some apps, such as Facebook Messenger, the preview is generated on the app’s server, meaning any generated data is kept by the app’s company—how long it’s stored and what is done with that data is unknown. This can also be a privacy issue as this information is stored on a company’s servers, even if the messaging or communication is meant to be end-to-end encrypted.

Lastly, some app allow JavaScript to run on link previews, which can lead to security or privacy problems if the linked site is malicious.

Your Move

If you’re concerned about leaking your data via link previews, see if you can turn link preview off in your app’s settings (this is possible with Signal) or use an app that doesn’t generate link previews, such as TikTok, WeChat, and Theema (these apps, however, may have different privacy considerations).

Otherwise, consider using a messaging app that only generates link previews on the sender’s side. This is the case with iMessage, Signal (if link previews are enabled), Viber, and WhatsApp.

As for Discord, Facebook Messenger, Google Hangouts, Instagram, LINE, LinkedIn, Slack, Twitter, and Zoom, the link previews are generated on the server side so there’s a risk that your information is kept by the company, something to be aware of if you’re discussing anything sensitive.

To learn more about this link preview vulnerability, check out SecurityWeek‘s article.

Photo by Jae Park on Unsplash

Show More
Back to top button