Link Previews in Popular Messaging Apps May Lead to Security Vulnerabilities

A new report by security researchers Talal Haj Bakry and Tommy Mysk has revealed that link previews in messaging apps can lead to security and privacy issues on iOS and Android. Through link previews, Bakry and Mysk discovered that apps could leak IP addresses, expose links sent in end-to-end encrypted chats, download large files without users' consent, and copy private data.

link preview example signal

Link previews offer a peek at content such as web pages or documents in many messaging apps. The feature allows users to see a short summary and preview image inline with the rest of the conversation without having to tap on the link.

Apps such as iMessage and WhatsApp ensure that the sender generates the preview, meaning that the receiver is protected from risk if the link is malicious. This is because the summary and preview image are created on the sender's device and sent as an attachment. The receiver's device will show the preview as it was transmitted from the sender without having to open the link. Apps that do not generate a link preview at all, such as TikTok and WeChat, are also unaffected.

The issue arises when the receiver generates the link preview, because the app will automatically open the link in the background to create the preview. This occurs before users even tap on the link, potentially exposing them to malicious content. Apps such as Reddit generate links in this way.

For example, a malicious actor could send a link to their own server. When the receiver's app automatically opens the link in the background, it would send the device's IP address to the server, revealing their location.

This approach can also cause issues if the link points to a large file, whereupon the app may attempt to download the whole file, draining battery life and hemorrhaging data plan limits.

Link previews can also be generated on an external server, and this is how many popular apps such as Discord, Facebook Messenger, Google Hangouts, Instagram, LinkedIn, Slack, Twitter, and Zoom work. In this case, the app will first send the link to an external server and ask it to generate a preview, and then the server will send the preview back to both the sender and receiver.

However, this may pose a security threat when the contents of the sent link are private. Using an external server allows these apps to potentially create unauthorized copies of private information and retain it for a period of time.

Although many of the apps had implemented a data limit on how much of any link content to download, the researchers discovered that Facebook Messenger and Instagram were particularly notable for downloading the entirety of any link's contents to its servers, regardless of size. When questioned about this behavior, Facebook reportedly said that it considers this to be "working as intended."

Copies kept on external servers could be subject to data breaches, which may be particularly concerning for users of business apps such as Zoom and Slack, and those who send links to sensitive private data.

The research offers an appreciation of how the same exact feature can work in different ways, and how these differences can have a significant impact on security and privacy. See the full report for more information.

Top Rated Comments

jayducharme Avatar
25 months ago

Although many of the apps had implemented a data limit on how much of any link content to download, the researchers discovered that Facebook Messenger and Instagram were particularly notable for downloading the entirety of any link's contents to its servers, regardless of size.
And why does this not surprise me?
Score: 19 Votes (Like | Disagree)
macintoshmac Avatar
25 months ago

These automatic link previews are a cancer, when I am sending a link I don't need a preview, I know what I am sending.
Link previews are targeted at receivers who would appreciate a quick preview, not towards previews that are shown on sender's devices as well when senders send messages.
Score: 10 Votes (Like | Disagree)
doboy Avatar
25 months ago
Got it, use only iMessage :)
Score: 4 Votes (Like | Disagree)
Apple Freak Avatar
25 months ago

Rotary phones without answering machines and letter writing: It's the only solution!
Don't forget about smoke signals and carrier pigeons too.
Score: 3 Votes (Like | Disagree)
jonblatho Avatar
25 months ago

Security researchers do not agree on people not wanting it. They are commenting on misuse of autoamtic link preview.
To expand on this, they’re specifically taking issue with only some implementations which can create privacy and security risks. Granted, nothing that they discuss here is that bad or difficult to fix.
Score: 3 Votes (Like | Disagree)
Runs For Fun Avatar
25 months ago
It's interesting in this case (and probably many others) how there is a direct tradeoff between device security and data privacy.

If everything is generated externally and only a preview image is sent to your device, there is no security risk to your device (unless you open the link), but a privacy disadvantage.

If everything is generated on-device, there's no privacy issue in terms of third party services, but there is a privacy issue if the link is being used maliciously to track the user, and there's a potential security risk if there's a vulnerability on the page that requires no user interaction.

Of course, on the privacy side, if any sensitive content being linked to doesn't require a login, then it is only offering security by obscurity, which is so bad from a security standpoint already, so that's kind of a moot point. You likewise shouldn't be pushing passwords or whatnot in the URL.

Which is to say the researchers are right that the potential privacy hit is better than the potential local security hit, although I'm loathe to say that when Facebook is involved since you can be pretty sure they're going to use this to abusively harvest and store any user data they possibly can.

I don't see Apple Messages anywhere on that list, and I know it generates previews, so I'm assuming they're the redacted one?

Interestingly, I've noticed that Messages will generate a preview of links from contacts in my address book, but does NOT generate a preview of links from other contacts. So I don't get previews from spam links or things like UPS tracking alerts, but I do get them from friends and co-workers.

This isn't perfect from a security standpoint, but seems like a not-so-bad compromise.
iMessage generates the preview one the sender’s device which is the correct way to do this. The problem here is some crappy third party apps don’t do this and/or have no size limit for what is fetched for the preview.
Score: 3 Votes (Like | Disagree)

Related Stories

Google Logo Feature Slack

Google Launching Privacy Sandbox to Limit Ad Tracking on Android, Calls 'Blunt Approaches' Like Apple's 'Ineffective'

Wednesday February 16, 2022 7:50 am PST by
Google has announced plans to strengthen user privacy on Android with a new initiative that will put an end to cross-app tracking on Android over the next two years, making it more difficult for advertisers to track users across other apps. In a blog post, Google announced a multi-year project named "Privacy Sandbox" that introduces "more private advertising solutions" for mobile apps. The...
iOS App Store General Feature JoeBlue

App Store Now Supports Unlisted Apps Discoverable Only With a Direct Link

Friday January 28, 2022 11:27 am PST by
Apple recently announced that the App Store now supports unlisted apps discoverable only with a direct link, as outlined on its developer website. Developers with apps that aren't suited for public distribution can submit a request on Apple's website to distribute unlisted apps, which don't appear in any App Store categories, recommendations, charts, search results, or other listings....
ios15 mail privacy feature

Mail Privacy Protection Seemingly Undermined by Apple Watch [Updated]

Tuesday November 16, 2021 6:28 am PST by
The security provided by Apple's Mail Privacy Protection feature is seemingly undermined by a lack of Apple Watch support, security researchers have found. Mail Privacy Protection is a new feature introduced with iOS 15, iPadOS 15, and macOS Monterey that hides your IP address so senders are not able to determine your location or link email habits to your other online activity. It also...
icloud private relay ios 15

EU Mobile Operators Want Apple's iCloud Private Relay Service to Be Outlawed Over Concerns of 'Digital Sovereignty'

Monday January 10, 2022 4:40 am PST by
Major EU mobile operators are reportedly looking for Apple's iCloud Private Relay service to be outlawed because it allegedly infringes upon EU "digital sovereignty," according to a report from The Telegraph. iCloud Private Relay was a feature announced with iOS 15 that encrypts data so that neither Apple nor a third-party can see users' browsing activity in Safari. With iCloud Private Rely...
Whatsapp Feature

WhatsApp Readies Message Reactions for iPhone and Android

Wednesday February 2, 2022 4:21 am PST by
WhatsApp's plan to bring iMessage-style message reactions to the massively popular chat platform appears to be entering its final stages, based on new screenshots shared by WABetaInfo. WhatsApp has been working on message reactions – or "Tapbacks" in Apple Messages parlance – for some time, with evidence of their development first coming to light last summer. The feature gives...
Safari Technology Preview Feature

Apple Releases Safari Technology Preview 137 With Bug Fixes and Performance Improvements

Monday December 20, 2021 1:28 pm PST by
Apple today released a new update for Safari Technology Preview, the experimental browser Apple first introduced in March 2016. Apple designed the Safari Technology Preview to test features that may be introduced into future release versions of Safari. Safari Technology Preview release 137 includes bug fixes and performance improvements for Web Inspector, CSS, JavaScript, WebAssembly,...
telegram

Telegram Messenger Gains Download Manager, New Attachment Menu, and More

Friday March 11, 2022 3:24 am PST by
Telegram Messenger has updated its iPhone and iPad app with several new features, including a new download manager, redesigned attachment menu, support for live streaming with third-party apps, and more. Telegram users are able to send files of any type up to 2GB each and access them from any device, with no limit on cloud storage, which has made downloading files more popular on the...
Novi WhatsApp

WhatsApp Launches Instant Cryptocurrency Payments in the US

Thursday December 9, 2021 4:02 am PST by
WhatsApp has launched a cryptocurrency payment feature for a small number of users in the United States, thanks to Novi integration, a digital wallet owned by Facebook (now Meta). The pilot program lets users of the encrypted messaging app send and receive money "instantly, securely, and with no fees" using the Paxos Dollar (USPD) stablecoin, whose value is linked to the US dollar. The...

Popular Stories

ipad pro m1 feature

Gurman: Apple Event This October Remains Unlikely, No Touch ID for iPhone 15

Sunday October 2, 2022 6:41 am PDT by
Apple is developing new iPad Pro, Mac, and Apple TV models, and at least some of these products will be released in October, according to Bloomberg's Mark Gurman. However, Gurman continues to believe that Apple is unlikely to hold an event this month. In the latest edition of his Power On newsletter, Gurman said "the big iPhone 14 unveiling last month was probably it for Apple in 2022 in...
maxresdefault

Apple Responds to Video Testing Crash Detection Feature With Junkyard Vehicles

Friday September 30, 2022 9:11 am PDT by
The Wall Street Journal's Joanna Stern recently traveled to Michigan to test Apple's new crash detection feature on the iPhone 14 and Apple Watch Ultra. In response, Apple provided some additional information about how the feature works. Stern recruited Michael Barabe to crash his demolition derby car with a heavy-duty steel frame into two unoccupied vehicles parked in a junkyard — a 2003...
Hero0005

Best Apple Deals of the Week: M2 MacBook Air Hits New All-Time Low Price at $1,049, Plus Sales on AirPods Pro and More

Friday September 30, 2022 9:05 am PDT by
This week's best Apple deals focus on the AirPods Pro, AirPods Pro 2, and M2 MacBook Air, including numerous all-time low prices on these devices. You'll also find up to 50 percent off discounts on Anker and Eufy accessories on Amazon. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us...
Apple SIM Card

Apple SIM No Longer Available for Activating New Cellular Data Plans on iPads

Sunday October 2, 2022 8:04 am PDT by
As of October 1, Apple SIM is no longer available for activating new cellular data plans on supported iPad models, according to an Apple support document. Introduced in 2014, the Apple SIM was designed to allow iPad users to activate cellular data plans from multiple carriers around the world. Initially, the Apple SIM was a physical nano-SIM card, but it was embedded inside later iPad Pro...
iphone 14 pro max vs 13 max 2

Camera Comparison: iPhone 14 Pro Max vs. iPhone 13 Pro Max

Thursday September 29, 2022 7:44 am PDT by
The iPhone 14 Pro and Pro Max introduce some major improvements in camera technology, adding a 48-megapixel lens and low-light improvements across all lenses with the new Photonic Engine. We've spent the last week working on an in-depth comparison that pits the new iPhone 14 Pro Max against the prior-generation iPhone 13 Pro Max to see just how much better the iPhone 14 Pro Max can be. Subscrib ...
iOS 16 Wallpaper Spectrum Feature

Five Wallpaper Apps to Check Out for iOS 16's New Lock Screen Depth Effect

Thursday September 29, 2022 9:08 am PDT by
One of the biggest new features in iOS 16 is a completely redesigned iPhone Lock Screen. The new Lock Screen is entirely customizable, letting you change the colors and fonts, add widgets and new wallpapers, and more to make your iPhone uniquely yours. Of course, even before iOS 16, you could customize your Lock Screen with a wallpaper of your choice. iOS 16 takes the Lock Screen wallpaper...
top stories 1oct2022

Top Stories: Stage Manager Expands to Older iPad Pro Models, No October Apple Event?

Saturday October 1, 2022 6:00 am PDT by
While we had been expecting a follow-up October Apple event focused on Mac and iPad announcements, it sounds like we might not be getting another event after all. Instead, the pending updates in those product segments could be considered minor enough that they may be announced via press releases. It wasn't all bad news, however, with Apple announcing that it will be expanding an on-device...
iOS 16

Apple Preparing iOS 16.0.3 With More Bug Fixes Following iPhone 14 Launch

Monday October 3, 2022 7:53 am PDT by
iOS 16.0.2 was released last month with several bug fixes for iPhone 14 issues, excessive copy and paste permission prompts, and more. Now, evidence suggests that Apple is planning to release iOS 16.0.3 with additional bug fixes. Evidence of an upcoming iOS 16.0.3 software update has shown up in MacRumors analytics logs, which have been a reliable indicator in the past. There are several...
dynamic island alan dye

Apple Executives Talk About iPhone 14 Pro's Dynamic Island in New Interview

Sunday October 2, 2022 10:48 am PDT by
In a new interview, Apple's senior vice president of software engineering, Craig Federighi, and Apple's vice president of human interface design, Alan Dye, sat down to discuss the thinking behind the iPhone 14 Pro's Dynamic Island and how it was developed. During the interview with the Japanese magazine Axis, Federighi, who oversees the development of iOS, said Dynamic Island represents the...