A report from security researches suggests popular chat applications on iOS and Android are a major privacy concern. Specifically, link previews on apps such as Facebook Messenger, Twitter, Zoom, LinkedIn, LINE, and Slack are a hotbed of privacy problems.

Looking specifically as LinkedIn and Instagram, bad actors could execute remote code attack on servers. Most chat apps use link previews to highlight received links alongside a preview image. It’s useful for the user because they can get an idea of what the link is about without clicking on it.

Research from Talai Haj Bakry and Tommy Mysk finds this useful tool can also leak IP addresses. Some links have been found to be “unnecessarily downloading gigabytes of data quietly in the background.”

This problem stems from the construction of the previews. Links are either sender generated, receiver generates, or server generated. All have issues, but the server generated links are a major problem according to the authors.

“How does the app know what to show in the summary?” Bakry and Mysk explained. “It must somehow automatically open the link to know what’s inside. But is that safe? What if the link contains malware? Or what if the link leads to a very large file that you wouldn’t want the app to download and use up your data.”

Server Generated Links

For a link that is generated by the server, an external server will receive a request from the messaging app to create a preview. The server than sends the preview back to an app like LinkedIn or Instagram, viewable to both the sender and the receiver.

This removes one issue whereby sender and receiver generated previews leak IP addresses. This does not happen when a server generates the preview. However, the problem is worse because it could leak information to third parties. This could in turn allow attackers to create code execution if the link leads to a malicious site.

“Say you were sending a private Dropbox link to someone, and you don’t want anyone else to see what’s in it,” researchers say. “The question becomes…are the servers downloading entire files, or only a small amount to show the preview? If they’re downloading entire files, do the servers keep a copy, and if so for how long? And are these copies stored securely, or can the people who run the servers access the copies?”

How much data the servers download and put at risk depends on the app:

  • Facebook Messenger downloads whole files
  • Google Hangouts downloads up to 20MB of a file
  • Instagram downloads whole files
  • LINE downloads up to 20MB
  • LinkedIn downloads up to 50MB of any file
  • Slack also downloads up to 50MB

“Though most of the app servers we’ve tested put a limit on how much data gets downloaded, even a 15 MB limit still covers most files that would typically be shared through a link (most pictures and documents don’t exceed a few MBs in size),” the researchers add. “So, if these servers do keep copies, it would be a privacy nightmare if there’s ever a data breach of these servers.”