Link Previews in Popular Messaging Apps May Lead to Security Vulnerabilities

by

A new report by security researchers Talal Haj Bakry and Tommy Mysk has revealed that link previews in messaging apps can lead to security and privacy issues on iOS and Android. Through link previews, Bakry and Mysk discovered that apps could leak IP addresses, expose links sent in end-to-end encrypted chats, download large files without users' consent, and copy private data.

link preview example signal

Link previews offer a peek at content such as web pages or documents in many messaging apps. The feature allows users to see a short summary and preview image inline with the rest of the conversation without having to tap on the link.

Apps such as iMessage and WhatsApp ensure that the sender generates the preview, meaning that the receiver is protected from risk if the link is malicious. This is because the summary and preview image are created on the sender's device and sent as an attachment. The receiver's device will show the preview as it was transmitted from the sender without having to open the link. Apps that do not generate a link preview at all, such as TikTok and WeChat, are also unaffected.

The issue arises when the receiver generates the link preview, because the app will automatically open the link in the background to create the preview. This occurs before users even tap on the link, potentially exposing them to malicious content. Apps such as Reddit generate links in this way.

For example, a malicious actor could send a link to their own server. When the receiver's app automatically opens the link in the background, it would send the device's IP address to the server, revealing their location.

This approach can also cause issues if the link points to a large file, whereupon the app may attempt to download the whole file, draining battery life and hemorrhaging data plan limits.

Link previews can also be generated on an external server, and this is how many popular apps such as Discord, Facebook Messenger, Google Hangouts, Instagram, LinkedIn, Slack, Twitter, and Zoom work. In this case, the app will first send the link to an external server and ask it to generate a preview, and then the server will send the preview back to both the sender and receiver.

However, this may pose a security threat when the contents of the sent link are private. Using an external server allows these apps to potentially create unauthorized copies of private information and retain it for a period of time.

Although many of the apps had implemented a data limit on how much of any link content to download, the researchers discovered that Facebook Messenger and Instagram were particularly notable for downloading the entirety of any link's contents to its servers, regardless of size. When questioned about this behavior, Facebook reportedly said that it considers this to be "working as intended."

Copies kept on external servers could be subject to data breaches, which may be particularly concerning for users of business apps such as Zoom and Slack, and those who send links to sensitive private data.

The research offers an appreciation of how the same exact feature can work in different ways, and how these differences can have a significant impact on security and privacy. See the full report for more information.

Tags: Cybersecurity, Messages

Popular Stories

AirPods Pro Firmware Feature

Apple Releases New Firmware for AirPods Pro 2, AirPods Pro 3, and AirPods 4

Thursday November 13, 2025 11:35 am PST by
Apple today released new firmware designed for the AirPods Pro 3, the AirPods 4, and the prior-generation AirPods Pro 2. The AirPods Pro 3 firmware is 8B25, while the AirPods Pro 2 and AirPods 4 firmware is 8B21, all up from the prior 8A358 firmware released in October. There's no word on what's include in the updated firmware, but the AirPods Pro 2, AirPods 4 with ANC, and AirPods Pro 3...
Read Full Article65 comments
CarPlay Pinned Messages

iOS 26.2 Adds New CarPlay Setting

Thursday November 13, 2025 6:48 am PST by
iOS 26 extended pinned conversations in the Messages app to CarPlay, for quick access to your most frequent chats. However, some drivers may prefer the classic view with a list of individual conversations only, and Apple now lets users choose. Apple released the second beta of iOS 26.2 this week, and it introduces a new CarPlay setting for turning off pinned conversations in the Messages...
Read Full Article24 comments
Tesla Charging

Tesla Working to Add Apple CarPlay Support to Vehicles

Thursday November 13, 2025 8:31 am PST by
Tesla is working to add support for Apple CarPlay in its vehicles, Bloomberg's Mark Gurman reports. Tesla vehicles rely on its own infotainment software system, which integrates vehicle functions, navigation, music, web browsing, and more. The automaker has been an outlier in foregoing support for Apple CarPlay, which has otherwise become an industry standard feature, allowing users to...
Read Full Article293 comments
iPhone Pocket Short

iPhone Pocket Now Available to Order, But Already Selling Out

Friday November 14, 2025 6:20 am PST by
Apple recently teamed up with Japanese fashion brand ISSEY MIYAKE to create the iPhone Pocket, a limited-edition knitted accessory designed to carry an iPhone. iPhone Pocket is available to order on Apple's online store starting today, in the United States, France, China, Italy, Japan, Singapore, South Korea, and the United Kingdom. However, it is already completely sold out in the United...
Read Full Article182 comments
tvOS 26 Profiles

tvOS 26.2 Adds a Useful New Feature to Your Apple TV

Friday November 14, 2025 10:02 am PST by
Starting with the upcoming tvOS 26.2 update, currently in beta, additional profiles created on the Apple TV no longer require their own Apple Account. In the Settings app on the Apple TV, under Profiles and Accounts, anyone can create a new profile by simply entering a name and indicating whether the profile is for a kid. The profile will be associated with the primary user's Apple Account,...
Read Full Article
homepod mini thumb feature

New HomePod Mini, Apple TV, and AirTag Were Expected This Year — Where Are They?

Wednesday November 12, 2025 11:42 am PST by
While it was rumored that Apple planned to release new versions of the HomePod mini, Apple TV, and AirTag this year, it is no longer clear if that will still happen. Back in January, Bloomberg's Mark Gurman said Apple planned to release new HomePod mini and Apple TV models "toward the end of the year," while he at one point expected a new AirTag to launch "around the middle of 2025." Yet,...
Read Full Article118 comments
iOS 26

iOS 26.2 Available Next Month With These 8 New Features

Tuesday November 11, 2025 9:48 am PST by
Apple released the first iOS 26.2 beta last week. The upcoming update includes a handful of new features and changes on the iPhone, including a new Liquid Glass slider for the Lock Screen's clock, offline lyrics in Apple Music, and more. In a recent press release, Apple confirmed that iOS 26.2 will be released to all users in December, but it did not provide a specific release date....
Read Full Article68 comments
m1 chip slide

Five Years of Apple Silicon: M1 to M5 Performance Comparison

Monday November 10, 2025 1:08 pm PST by
Today marks the fifth anniversary of the Apple silicon chip that replaced Intel chips in Apple's Mac lineup. The first Apple silicon chip, the M1, was unveiled on November 10, 2020. The M1 debuted in the MacBook Air, Mac mini, and 13-inch MacBook Pro. The M1 chip was impressive when it launched, featuring the "world's fastest CPU core" and industry-leading performance per watt, and it's only ...
Read Full Article177 comments
walmart new ornametns

Walmart Black Friday Deals Begin Today With Low Prices on Headphones, TVs, and More

Friday November 14, 2025 7:55 am PST by
Walmart's Black Friday sale has officially kicked off today, with an online shopping event that's also seeing some matching deals in retail locations. There are quite a few major discounts in this sale, including savings on headphones, TVs, and more. Note: MacRumors is an affiliate partner with Walmart. When you click a link and make a purchase, we may receive a small payment, which helps us...
Read Full Article13 comments
iOS 26

Everything New in iOS 26.2 Beta 2

Wednesday November 12, 2025 3:29 pm PST by
Apple today provided developers with the second beta of iOS 26.2, which adds a few new features worth knowing about. Measure App Apple's Measure app now features a Liquid Glass design for the level, with two Liquid Glass bubbles instead of white circles. Games App There's now an option to sort games in the Games app Library by size, in addition to Name and Recent. CarPlay The...
Read Full Article64 comments

Top Rated Comments

jayducharme Avatar
jayducharme
66 months ago

Although many of the apps had implemented a data limit on how much of any link content to download, the researchers discovered that Facebook Messenger and Instagram were particularly notable for downloading the entirety of any link's contents to its servers, regardless of size.
And why does this not surprise me?
Score: 19 Votes (Like | Disagree)
macintoshmac Avatar
macintoshmac
66 months ago

These automatic link previews are a cancer, when I am sending a link I don't need a preview, I know what I am sending.
Link previews are targeted at receivers who would appreciate a quick preview, not towards previews that are shown on sender's devices as well when senders send messages.
Score: 10 Votes (Like | Disagree)
doboy Avatar
doboy
66 months ago
Got it, use only iMessage :)
Score: 4 Votes (Like | Disagree)
Apple Freak Avatar
Apple Freak
66 months ago

Rotary phones without answering machines and letter writing: It's the only solution!
Don't forget about smoke signals and carrier pigeons too.
Score: 3 Votes (Like | Disagree)
jonblatho Avatar
jonblatho
66 months ago

Security researchers do not agree on people not wanting it. They are commenting on misuse of autoamtic link preview.
To expand on this, they’re specifically taking issue with only some implementations which can create privacy and security risks. Granted, nothing that they discuss here is that bad or difficult to fix.
Score: 3 Votes (Like | Disagree)
Runs For Fun Avatar
Runs For Fun
66 months ago
It's interesting in this case (and probably many others) how there is a direct tradeoff between device security and data privacy.

If everything is generated externally and only a preview image is sent to your device, there is no security risk to your device (unless you open the link), but a privacy disadvantage.

If everything is generated on-device, there's no privacy issue in terms of third party services, but there is a privacy issue if the link is being used maliciously to track the user, and there's a potential security risk if there's a vulnerability on the page that requires no user interaction.

Of course, on the privacy side, if any sensitive content being linked to doesn't require a login, then it is only offering security by obscurity, which is so bad from a security standpoint already, so that's kind of a moot point. You likewise shouldn't be pushing passwords or whatnot in the URL.

Which is to say the researchers are right that the potential privacy hit is better than the potential local security hit, although I'm loathe to say that when Facebook is involved since you can be pretty sure they're going to use this to abusively harvest and store any user data they possibly can.

I don't see Apple Messages anywhere on that list, and I know it generates previews, so I'm assuming they're the redacted one?

Interestingly, I've noticed that Messages will generate a preview of links from contacts in my address book, but does NOT generate a preview of links from other contacts. So I don't get previews from spam links or things like UPS tracking alerts, but I do get them from friends and co-workers.

This isn't perfect from a security standpoint, but seems like a not-so-bad compromise.
iMessage generates the preview one the sender’s device which is the correct way to do this. The problem here is some crappy third party apps don’t do this and/or have no size limit for what is fetched for the preview.
Score: 3 Votes (Like | Disagree)
Read All Comments