Home Cyber Security News Link Previews Make Chat Apps Vulnerable To Data Leak And RCE Attacks

Link Previews Make Chat Apps Vulnerable To Data Leak And RCE Attacks

by Abeerah Hashim
link previews make chat apps vulnerable

Reportedly, the faulty implementation of link previews has made numerous chat apps vulnerable to cyber attacks. These apps include Facebook Messenger, Twitter, LINE, Slack, and many others. In the case of LinkedIn and Instagram, exploiting the flaw also allows remote code execution attacks.

Link Previews In Chat Apps Vulnerable

Security researchers Tommy Mysk and Talal Haj Bakry have found how link previews threaten the security of various chat apps.

As elaborated in their post, they found that the way different apps implemented link previews has security flaws. This is true for apps running on both the iOS and Android platforms.

We found several cases of apps with vulnerabilities such as: leaking IP addresses, exposing links sent in end-to-end encrypted chats, and unnecessarily downloading gigabytes of data quietly in the background.

Link Preview is a useful feature in almost all chat apps that allows the users to see what a sent/received link is about as a brief preview of the content appears with the link.

Though, apps like Signal, TikTok, Threema, and WeChat, do not generate link previews, according to the researchers. Hence, they do not suffer the vulnerability the researchers found this time.

As for the other apps, they described various approaches through which link previews appear.

Approach 1: Sender generates the preview

Applies to WhatsApp, Viber, iMessage, and Signal (with link preview enabled via settings). The sender of a link generates the preview that the receiver also views. The receiver can choose whether or not to click the link.

This one is a rather safer approach, particularly, when the sender trusts the link.

Approach 2: Receiver creates the preview

The receivers’ app client automatically opens the link when received to create the preview. For this, the app sends a GET request with your IP address to the server behind the received link. This lets the server send the information to your device.

That’s where the flaw exists. As stated by the researchers,

If you’re using an app that follows this approach, all an attacker would have to do is send you a link to their own server where it can record your IP address. Your app will happily open the link even without you tapping on it, and now the attacker will know where you are.

Researchers found two apps implementing this approach whose names they haven redacted for now.

Approach 3: Amalgam of Approach 1 and 2

Here, the app, while sending a link, sends request to the link server for a preview. It then sends the preview to both the sender and the receiver, hence preventing the IP leak issue.

However, this approach is a privacy breach when sharing private links, such as a sensitive Dropbox link. It’s because it remains unclear how much amount of the data the servers download during this process.

Also, it isn’t a feasible approach for apps with end-to-end encryption (no servers involved between the sender and the receiver).

The apps implementing this approach include Facebook Messenger, LINE, Discord, Instagram, Google Hangouts, Twitter, LinkedIn, Slack, Zoom, and two more apps that they haven’t named yet.

Consequently, here is what the researchers noticed.

  • Facebook Messenger: Downloads pictures and videos regardless of the size.
  • Instagram: Download any type of file regardless of the file size.
  • LinkedIn: Downloads any file of up to 50 MB.
  • Slack: Downloads any file of up to 50 MB.
  • Zoom: Downloads any file of up to 30 MB.
  • Twitter: Downloads any file of up to 25 MB.
  • Google Hangouts: Downloads any file of up to 20 MB.
  • LINE: Downloads any file of up to 20 MB.
  • Discord: Downloads any file of up to 15 MB.

Response from Chat Apps on Issues with Link Previews

In response to the researchers’ report, different apps have responded differently.

For Facebook (tech giant behind Facebook Messenger and Instagram), the feature works as intended. According to their statement to Threatpost,

As we explained to the researcher weeks ago, these are not security vulnerabilities. The behavior described is how we show previews of a link on Messenger or how people can share a link on Instagram, and we don’t store that data. This is consistent with our data policy and terms of service.

LINE, a chat app offering end-to-end encryption, has simply updated the FAQ page to explain how previews work. Though, with versions 10.18.0 for Android and 10.16.1 for iOS, LINE no longer leaks IP addresses.

Slack confirmed caching the previews for around 30 minutes.

For LinkedIn and Instagram, the researchers could also exploit link previews for remote code execution attacks. The following videos demonstrate the attack.

For LinkedIn:

For Instagram:

However, LinkedIn told the researchers that their servers are sandboxed.

Moreover, Viber also exhibits data downloading practice for large files, despite implementing Approach 1 for link previews. Also, tapping on links involves Viber servers for fraud protection and ad personalization.

Besides, the researchers didn’t mention Telegram in their article. Yet, Telegram seems to use Approach 1, as elaborated on their site.

As for the apps with names redacted, perhaps, the researchers may disclose their names after the apps deploy a fix.

However, whether or not an app addresses this issue, this research has clearly shown how link previews threaten user privacy. Apart from the apps clearly using the safer approaches, users must remain careful while sharing sensitive documents, pictures, videos, and links to sensitive data while using chat apps.

Let us know your thoughts in the comments.

You may also like

Latest Hacking News

Privacy Preference Center

Necessary

The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]

Advertising

DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.

doubleclick

Analytics

The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid