Link Previews in Popular Messaging Apps May Lead to Security Vulnerabilities

A new report by security researchers Talal Haj Bakry and Tommy Mysk has revealed that link previews in messaging apps can lead to security and privacy issues on iOS and Android. Through link previews, Bakry and Mysk discovered that apps could leak IP addresses, expose links sent in end-to-end encrypted chats, download large files without users' consent, and copy private data.

link preview example signal

Link previews offer a peek at content such as web pages or documents in many messaging apps. The feature allows users to see a short summary and preview image inline with the rest of the conversation without having to tap on the link.

Apps such as iMessage and WhatsApp ensure that the sender generates the preview, meaning that the receiver is protected from risk if the link is malicious. This is because the summary and preview image are created on the sender's device and sent as an attachment. The receiver's device will show the preview as it was transmitted from the sender without having to open the link. Apps that do not generate a link preview at all, such as TikTok and WeChat, are also unaffected.

The issue arises when the receiver generates the link preview, because the app will automatically open the link in the background to create the preview. This occurs before users even tap on the link, potentially exposing them to malicious content. Apps such as Reddit generate links in this way.

For example, a malicious actor could send a link to their own server. When the receiver's app automatically opens the link in the background, it would send the device's IP address to the server, revealing their location.

This approach can also cause issues if the link points to a large file, whereupon the app may attempt to download the whole file, draining battery life and hemorrhaging data plan limits.

Link previews can also be generated on an external server, and this is how many popular apps such as Discord, Facebook Messenger, Google Hangouts, Instagram, LinkedIn, Slack, Twitter, and Zoom work. In this case, the app will first send the link to an external server and ask it to generate a preview, and then the server will send the preview back to both the sender and receiver.

However, this may pose a security threat when the contents of the sent link are private. Using an external server allows these apps to potentially create unauthorized copies of private information and retain it for a period of time.

Although many of the apps had implemented a data limit on how much of any link content to download, the researchers discovered that Facebook Messenger and Instagram were particularly notable for downloading the entirety of any link's contents to its servers, regardless of size. When questioned about this behavior, Facebook reportedly said that it considers this to be "working as intended."

Copies kept on external servers could be subject to data breaches, which may be particularly concerning for users of business apps such as Zoom and Slack, and those who send links to sensitive private data.

The research offers an appreciation of how the same exact feature can work in different ways, and how these differences can have a significant impact on security and privacy. See the full report for more information.

Top Rated Comments

jayducharme Avatar
12 months ago

Although many of the apps had implemented a data limit on how much of any link content to download, the researchers discovered that Facebook Messenger and Instagram were particularly notable for downloading the entirety of any link's contents to its servers, regardless of size.
And why does this not surprise me?
Score: 19 Votes (Like | Disagree)
macintoshmac Avatar
12 months ago

These automatic link previews are a cancer, when I am sending a link I don't need a preview, I know what I am sending.
Link previews are targeted at receivers who would appreciate a quick preview, not towards previews that are shown on sender's devices as well when senders send messages.
Score: 10 Votes (Like | Disagree)
doboy Avatar
12 months ago
Got it, use only iMessage :)
Score: 4 Votes (Like | Disagree)
Apple Freak Avatar
12 months ago

Rotary phones without answering machines and letter writing: It's the only solution!
Don't forget about smoke signals and carrier pigeons too.
Score: 3 Votes (Like | Disagree)
jonblatho Avatar
12 months ago

Security researchers do not agree on people not wanting it. They are commenting on misuse of autoamtic link preview.
To expand on this, they’re specifically taking issue with only some implementations which can create privacy and security risks. Granted, nothing that they discuss here is that bad or difficult to fix.
Score: 3 Votes (Like | Disagree)
Runs For Fun Avatar
12 months ago
It's interesting in this case (and probably many others) how there is a direct tradeoff between device security and data privacy.

If everything is generated externally and only a preview image is sent to your device, there is no security risk to your device (unless you open the link), but a privacy disadvantage.

If everything is generated on-device, there's no privacy issue in terms of third party services, but there is a privacy issue if the link is being used maliciously to track the user, and there's a potential security risk if there's a vulnerability on the page that requires no user interaction.

Of course, on the privacy side, if any sensitive content being linked to doesn't require a login, then it is only offering security by obscurity, which is so bad from a security standpoint already, so that's kind of a moot point. You likewise shouldn't be pushing passwords or whatnot in the URL.

Which is to say the researchers are right that the potential privacy hit is better than the potential local security hit, although I'm loathe to say that when Facebook is involved since you can be pretty sure they're going to use this to abusively harvest and store any user data they possibly can.

I don't see Apple Messages anywhere on that list, and I know it generates previews, so I'm assuming they're the redacted one?

Interestingly, I've noticed that Messages will generate a preview of links from contacts in my address book, but does NOT generate a preview of links from other contacts. So I don't get previews from spam links or things like UPS tracking alerts, but I do get them from friends and co-workers.

This isn't perfect from a security standpoint, but seems like a not-so-bad compromise.
iMessage generates the preview one the sender’s device which is the correct way to do this. The problem here is some crappy third party apps don’t do this and/or have no size limit for what is fetched for the preview.
Score: 3 Votes (Like | Disagree)

Top Stories

facebook messenger icon new

Facebook and Instagram Link Previews Would Break EU Privacy Law, Say Security Researchers

Tuesday February 9, 2021 5:28 am PST by
A follow-up report by security researchers Talal Haj Bakry and Tommy Mysk has alleged that Facebook Messenger and Instagram are collecting and using data from link previews in a way that would breach European privacy law. In October last year, Bakry and Mysk revealed that link previews in popular messaging apps can lead to security and privacy issues on iOS and Android. It was discovered...
airdrop logo

Researchers Discover AirDrop Security Flaw That Could Expose Personal Data to Strangers

Friday April 23, 2021 4:36 am PDT by
AirDrop is a feature that allows Apple devices to securely and conveniently transfer files, photos, and more between each other wirelessly. Users can share items with their own devices, friends, family, or even strangers. The convenience and ease of use, however, may be undermined by a newly discovered security flaw. Researchers at TU Darmstadt have discovered that the process which AirDrop...
OverPage 0

Instagram Confirms Bug With iMessage Link Previews, Promises Fix Soon

Thursday February 18, 2021 6:09 am PST by
Instagram has confirmed that a bug is preventing proper Instagram URL previews from appearing in iMessage conversations. In a statement to Mashable, Instagram says the behavior is not normal, and that it's "working to resolve Instagram link previews in iMessage so that they load normally." The lack of link previews was first brought up on Reddit around two months ago, so it seems the issue ...
Safari Technology Preview Feature

Apple Releases Safari Technology Preview 125 With Bug Fixes and Performance Improvements

Wednesday May 26, 2021 12:14 pm PDT by
Apple today released a new update for Safari Technology Preview, the experimental browser Apple first introduced in March 2016. Apple designed the Safari Technology Preview to test features that may be introduced into future release versions of Safari. Safari Technology Preview release 125 includes bug fixes and performance improvements for Web Inspector, CSS, Web Animations, WebAssembly,...
Twitter Feature

It's Not Just You: Tweet Previews Aren't Showing in iMessage Right Now

Friday May 7, 2021 11:42 am PDT by
While sharing a Twitter link in an iMessage conversation typically results in a light-blue bubble with an in-line preview of the tweet, and an image if one was included, tweet previews appear to be broken right now. As of Friday morning, Twitter links shared in iMessage conversations appear as basic gray bubbles with the twitter.com domain and no other information. It's unclear if this is an ...
Safari Technology Preview Feature

Apple Releases Safari Technology Preview 123 With Bug Fixes and Performance Improvements

Wednesday March 31, 2021 10:56 am PDT by
Apple today released a new update for Safari Technology Preview, the experimental browser Apple first introduced in March 2016. Apple designed the Safari Technology Preview to test features that may be introduced into future release versions of Safari. Safari Technology Preview release 123 includes bug fixes and performance improvements for Web Inspector, CSS, and Web API. The current...
google privacy labels

Google Planning to Take 'Baby Step' Approach to New Privacy Features for Users

Monday May 17, 2021 8:16 am PDT by
Google is facing internal concerns that implementing an Android equivalent of Apple's ATT or App Tracking Transparency framework, which offers iOS and iPadOS users the ability to opt-out of tracking across apps and websites, will hurt its more than $130 billion annual spending budget for ads, according to a new report from The Information. According to the report that cites sources within...
apple findmy network feature

Find My Network Exploited to Send Messages

Wednesday May 12, 2021 8:11 am PDT by
An exploit allows messages and additional data to be sent across Apple's Find My network, according to the findings of a security researcher. Security researcher Fabian Bräunlein has found a way to leverage Apple's Find My network to function as a generic data transfer mechanism, allowing non-internet-connected devices to upload arbitrary data by using nearby Apple devices to upload the...
ss 6221a3eef94810e3ceea2d0379653b91a5c6db5a

Steam Link Launches on macOS, Enabling Game Streaming to Mac

Tuesday March 23, 2021 4:07 am PDT by
Steam Link, which allows users to stream Steam games from a computer to another device, has officially launched on the Mac App Store. Steam users have been able to stream games from within the Steam Mac app for sometime. However, with the availability of Steam Link on macOS, users now have the option of choosing a lightweight download (29.8MB) to stream games to their Mac, rather than having ...
Facebook Hacked Feature

Mark Zuckerberg's Details Leaked in Facebook Data Breach

Wednesday April 7, 2021 7:08 am PDT by
Facebook CEO Mark Zuckerberg's own personal information was among the details of 533 million Facebook users that leaked in a data breach, it has emerged. Facebook has now confirmed that the leaked data was obtained not by a hack, but by scraping the platform prior to September 2019. The company now says that an exploit was found in its contact importer, but the "specific issue that allowed...