Link Previews in Popular Messaging Apps May Lead to Security Vulnerabilities

A new report by security researchers Talal Haj Bakry and Tommy Mysk has revealed that link previews in messaging apps can lead to security and privacy issues on iOS and Android. Through link previews, Bakry and Mysk discovered that apps could leak IP addresses, expose links sent in end-to-end encrypted chats, download large files without users' consent, and copy private data.

link preview example signal

Link previews offer a peek at content such as web pages or documents in many messaging apps. The feature allows users to see a short summary and preview image inline with the rest of the conversation without having to tap on the link.

Apps such as iMessage and WhatsApp ensure that the sender generates the preview, meaning that the receiver is protected from risk if the link is malicious. This is because the summary and preview image are created on the sender's device and sent as an attachment. The receiver's device will show the preview as it was transmitted from the sender without having to open the link. Apps that do not generate a link preview at all, such as TikTok and WeChat, are also unaffected.

The issue arises when the receiver generates the link preview, because the app will automatically open the link in the background to create the preview. This occurs before users even tap on the link, potentially exposing them to malicious content. Apps such as Reddit generate links in this way.

For example, a malicious actor could send a link to their own server. When the receiver's app automatically opens the link in the background, it would send the device's IP address to the server, revealing their location.

This approach can also cause issues if the link points to a large file, whereupon the app may attempt to download the whole file, draining battery life and hemorrhaging data plan limits.

Link previews can also be generated on an external server, and this is how many popular apps such as Discord, Facebook Messenger, Google Hangouts, Instagram, LinkedIn, Slack, Twitter, and Zoom work. In this case, the app will first send the link to an external server and ask it to generate a preview, and then the server will send the preview back to both the sender and receiver.

However, this may pose a security threat when the contents of the sent link are private. Using an external server allows these apps to potentially create unauthorized copies of private information and retain it for a period of time.

Although many of the apps had implemented a data limit on how much of any link content to download, the researchers discovered that Facebook Messenger and Instagram were particularly notable for downloading the entirety of any link's contents to its servers, regardless of size. When questioned about this behavior, Facebook reportedly said that it considers this to be "working as intended."

Copies kept on external servers could be subject to data breaches, which may be particularly concerning for users of business apps such as Zoom and Slack, and those who send links to sensitive private data.

The research offers an appreciation of how the same exact feature can work in different ways, and how these differences can have a significant impact on security and privacy. See the full report for more information.

Top Rated Comments

jayducharme Avatar
20 months ago

Although many of the apps had implemented a data limit on how much of any link content to download, the researchers discovered that Facebook Messenger and Instagram were particularly notable for downloading the entirety of any link's contents to its servers, regardless of size.
And why does this not surprise me?
Score: 19 Votes (Like | Disagree)
macintoshmac Avatar
20 months ago

These automatic link previews are a cancer, when I am sending a link I don't need a preview, I know what I am sending.
Link previews are targeted at receivers who would appreciate a quick preview, not towards previews that are shown on sender's devices as well when senders send messages.
Score: 10 Votes (Like | Disagree)
doboy Avatar
20 months ago
Got it, use only iMessage :)
Score: 4 Votes (Like | Disagree)
Apple Freak Avatar
20 months ago

Rotary phones without answering machines and letter writing: It's the only solution!
Don't forget about smoke signals and carrier pigeons too.
Score: 3 Votes (Like | Disagree)
jonblatho Avatar
20 months ago

Security researchers do not agree on people not wanting it. They are commenting on misuse of autoamtic link preview.
To expand on this, they’re specifically taking issue with only some implementations which can create privacy and security risks. Granted, nothing that they discuss here is that bad or difficult to fix.
Score: 3 Votes (Like | Disagree)
Runs For Fun Avatar
20 months ago
It's interesting in this case (and probably many others) how there is a direct tradeoff between device security and data privacy.

If everything is generated externally and only a preview image is sent to your device, there is no security risk to your device (unless you open the link), but a privacy disadvantage.

If everything is generated on-device, there's no privacy issue in terms of third party services, but there is a privacy issue if the link is being used maliciously to track the user, and there's a potential security risk if there's a vulnerability on the page that requires no user interaction.

Of course, on the privacy side, if any sensitive content being linked to doesn't require a login, then it is only offering security by obscurity, which is so bad from a security standpoint already, so that's kind of a moot point. You likewise shouldn't be pushing passwords or whatnot in the URL.

Which is to say the researchers are right that the potential privacy hit is better than the potential local security hit, although I'm loathe to say that when Facebook is involved since you can be pretty sure they're going to use this to abusively harvest and store any user data they possibly can.

I don't see Apple Messages anywhere on that list, and I know it generates previews, so I'm assuming they're the redacted one?

Interestingly, I've noticed that Messages will generate a preview of links from contacts in my address book, but does NOT generate a preview of links from other contacts. So I don't get previews from spam links or things like UPS tracking alerts, but I do get them from friends and co-workers.

This isn't perfect from a security standpoint, but seems like a not-so-bad compromise.
iMessage generates the preview one the sender’s device which is the correct way to do this. The problem here is some crappy third party apps don’t do this and/or have no size limit for what is fetched for the preview.
Score: 3 Votes (Like | Disagree)

Related Stories

Google Logo Feature Slack

Google Launching Privacy Sandbox to Limit Ad Tracking on Android, Calls 'Blunt Approaches' Like Apple's 'Ineffective'

Wednesday February 16, 2022 7:50 am PST by
Google has announced plans to strengthen user privacy on Android with a new initiative that will put an end to cross-app tracking on Android over the next two years, making it more difficult for advertisers to track users across other apps. In a blog post, Google announced a multi-year project named "Privacy Sandbox" that introduces "more private advertising solutions" for mobile apps. The...
iOS App Store General Feature JoeBlue

App Store Now Supports Unlisted Apps Discoverable Only With a Direct Link

Friday January 28, 2022 11:27 am PST by
Apple recently announced that the App Store now supports unlisted apps discoverable only with a direct link, as outlined on its developer website. Developers with apps that aren't suited for public distribution can submit a request on Apple's website to distribute unlisted apps, which don't appear in any App Store categories, recommendations, charts, search results, or other listings....
ios15 mail privacy feature

Mail Privacy Protection Seemingly Undermined by Apple Watch [Updated]

Tuesday November 16, 2021 6:28 am PST by
The security provided by Apple's Mail Privacy Protection feature is seemingly undermined by a lack of Apple Watch support, security researchers have found. Mail Privacy Protection is a new feature introduced with iOS 15, iPadOS 15, and macOS Monterey that hides your IP address so senders are not able to determine your location or link email habits to your other online activity. It also...
icloud private relay ios 15

EU Mobile Operators Want Apple's iCloud Private Relay Service to Be Outlawed Over Concerns of 'Digital Sovereignty'

Monday January 10, 2022 4:40 am PST by
Major EU mobile operators are reportedly looking for Apple's iCloud Private Relay service to be outlawed because it allegedly infringes upon EU "digital sovereignty," according to a report from The Telegraph. iCloud Private Relay was a feature announced with iOS 15 that encrypts data so that neither Apple nor a third-party can see users' browsing activity in Safari. With iCloud Private Rely...
Whatsapp Feature

WhatsApp Readies Message Reactions for iPhone and Android

Wednesday February 2, 2022 4:21 am PST by
WhatsApp's plan to bring iMessage-style message reactions to the massively popular chat platform appears to be entering its final stages, based on new screenshots shared by WABetaInfo. WhatsApp has been working on message reactions – or "Tapbacks" in Apple Messages parlance – for some time, with evidence of their development first coming to light last summer. The feature gives...
Safari Technology Preview Feature

Apple Releases Safari Technology Preview 137 With Bug Fixes and Performance Improvements

Monday December 20, 2021 1:28 pm PST by
Apple today released a new update for Safari Technology Preview, the experimental browser Apple first introduced in March 2016. Apple designed the Safari Technology Preview to test features that may be introduced into future release versions of Safari. Safari Technology Preview release 137 includes bug fixes and performance improvements for Web Inspector, CSS, JavaScript, WebAssembly,...
telegram

Telegram Messenger Gains Download Manager, New Attachment Menu, and More

Friday March 11, 2022 3:24 am PST by
Telegram Messenger has updated its iPhone and iPad app with several new features, including a new download manager, redesigned attachment menu, support for live streaming with third-party apps, and more. Telegram users are able to send files of any type up to 2GB each and access them from any device, with no limit on cloud storage, which has made downloading files more popular on the...
Novi WhatsApp

WhatsApp Launches Instant Cryptocurrency Payments in the US

Thursday December 9, 2021 4:02 am PST by
WhatsApp has launched a cryptocurrency payment feature for a small number of users in the United States, thanks to Novi integration, a digital wallet owned by Facebook (now Meta). The pilot program lets users of the encrypted messaging app send and receive money "instantly, securely, and with no fees" using the Paxos Dollar (USPD) stablecoin, whose value is linked to the US dollar. The...

Popular Stories

RIP iPod Feature

RIP iPod: A Look Back at Apple's Iconic Music Player Over the Years

Friday May 13, 2022 2:25 pm PDT by
Apple earlier this week announced the discontinuation of the iPod touch, and because it was the last iPod still available for purchase, its sunsetting effectively marks the end of the entire iPod lineup. To send the iPod on its way, we thought it would be fun to take a look back at some of the most notable iPod releases over the last 21 years. Original iPod (2001) Introduced in October...
iOS 16 mock for article

Gurman: iOS 16 to Include New Ways of System Interaction and 'Fresh Apple Apps'

Sunday May 15, 2022 6:14 am PDT by
iOS 16 will include new ways of interacting with the system and some "fresh Apple apps," Bloomberg's Mark Gurman has said, offering some more detail on what Apple has in store for the upcoming release of iOS and iPadOS set to be announced in a few weeks at WWDC. In the latest edition of his Power On newsletter, Gurman wrote that while iOS 16 is not likely to introduce a major face-lift to...
14 16 inch 2021 mbps back to back feature orange

Five Things You Still Can't Do With a MacBook Pro

Wednesday May 11, 2022 11:16 am PDT by
It's been over 200 days since Apple debuted its redesigned MacBook Pro lineup. Offered in 14-inch and 16-inch display sizes, the new-look MacBooks wowed Apple fans and creative pros alike with their powerful custom Apple silicon, mini-LED screen, and multiple connectivity options. But there are still some things you can't do with a MacBook Pro. Here are five features some Mac users are still...
iOS 16 mock for article

Which Devices Will iOS 16 and iPadOS 16 Support?

Thursday May 12, 2022 7:29 am PDT by
While there are as yet no concrete rumors related to which devices iOS 16 and iPadOS 16 will support, the discontinuation of the iPod touch earlier this week may be an indication that as many as nine devices could be about to lose support for Apple's upcoming operating systems. iOS and iPadOS 13, 14, and 15 support all of the same devices, with the iPhone 6S and iPhone 6S Plus,...
apple mac ipad watch trade in

Apple Launches Limited-Time Bonus Trade-In Credit for iPhone, iPad, Mac, and Apple Watch in Many Countries

Wednesday May 11, 2022 5:14 am PDT by
Apple has launched a special limited-time offer for iPhone, Apple Watch, Mac, and iPad trade-in that offers customers additional credit when trading in their only device for a new one. The offer is being run in several countries including the US, UK, Germany, Spain, Italy, South Korea, Japan, Taiwan, China, India, and France. In the UK, Apple is offering up to £50 of extra trade-in credit...
sony

Sony Unveils Redesigned WH-1000XM5 Headphones With Improved Noise Cancelation

Thursday May 12, 2022 9:26 am PDT by
Sony's flagship WH-1000XM4 noise-canceling headphones have been among the best on the market for some time, and today Sony announced its fifth-generation WH-1000XM5 headphones, boasting a new design and several improvements over the previous model. The redesigned headphones replace the shrouded arms that swivel on the XM4's with an exposed arm that has a single contact point at the earcups,...
apple tv 4k design clue

Kuo: New Apple TV to Launch in Second Half of 2022, Lower Price Possible

Friday May 13, 2022 7:58 am PDT by
Apple plans to launch a new version of the Apple TV in the second half of 2022, according to well-known analyst Ming-Chi Kuo. In a tweet today, Kuo said the new Apple TV will have an improved cost structure, suggesting that the device could have a lower price that is more competitive with other streaming media players like Google's Chromecast line, Amazon's Fire TV line, and the Roku line. ...
iPhone 14 Purple Feature

Full Range of iPhone 14 Color Options Revealed by Purported Leak From China

Wednesday May 11, 2022 2:20 am PDT by
The iPhone 14 and iPhone 14 Pro models will be available in a refreshed range of color options, including an all-new purple color, according to a recent rumor. The claim comes from a post on Chinese social media site Weibo by an unverified source and purports to reveal the full range of color options for Apple's upcoming iPhone 14 and iPhone 14 Pro models. Compared to the selection of color...