Reportedly, the faulty implementation of link previews has made numerous chat apps vulnerable to cyber attacks. These apps include Facebook Messenger, Twitter, LINE, Slack, and many others. In the case of LinkedIn and Instagram, exploiting the flaw also allows remote code execution attacks.
Link Previews In Chat Apps Vulnerable
Security researchers Tommy Mysk and Talal Haj Bakry have found how link previews threaten the security of various chat apps.
As elaborated in their post, they found that the way different apps implemented link previews has security flaws. This is true for apps running on both the iOS and Android platforms.
We found several cases of apps with vulnerabilities such as: leaking IP addresses, exposing links sent in end-to-end encrypted chats, and unnecessarily downloading gigabytes of data quietly in the background.
Link Preview is a useful feature in almost all chat apps that allows the users to see what a sent/received link is about as a brief preview of the content appears with the link.
Though, apps like Signal, TikTok, Threema, and WeChat, do not generate link previews, according to the researchers. Hence, they do not suffer the vulnerability the researchers found this time.
As for the other apps, they described various approaches through which link previews appear.
Approach 1: Sender generates the preview
Applies to WhatsApp, Viber, iMessage, and Signal (with link preview enabled via settings). The sender of a link generates the preview that the receiver also views. The receiver can choose whether or not to click the link.
This one is a rather safer approach, particularly, when the sender trusts the link.
Approach 2: Receiver creates the preview
The receivers’ app client automatically opens the link when received to create the preview. For this, the app sends a GET request with your IP address to the server behind the received link. This lets the server send the information to your device.
That’s where the flaw exists. As stated by the researchers,
If you’re using an app that follows this approach, all an attacker would have to do is send you a link to their own server where it can record your IP address. Your app will happily open the link even without you tapping on it, and now the attacker will know where you are.
Researchers found two apps implementing this approach whose names they haven redacted for now.
Approach 3: Amalgam of Approach 1 and 2
Here, the app, while sending a link, sends request to the link server for a preview. It then sends the preview to both the sender and the receiver, hence preventing the IP leak issue.
However, this approach is a privacy breach when sharing private links, such as a sensitive Dropbox link. It’s because it remains unclear how much amount of the data the servers download during this process.
Also, it isn’t a feasible approach for apps with end-to-end encryption (no servers involved between the sender and the receiver).
The apps implementing this approach include Facebook Messenger, LINE, Discord, Instagram, Google Hangouts, Twitter, LinkedIn, Slack, Zoom, and two more apps that they haven’t named yet.
Consequently, here is what the researchers noticed.
- Facebook Messenger: Downloads pictures and videos regardless of the size.
- Instagram: Download any type of file regardless of the file size.
- LinkedIn: Downloads any file of up to 50 MB.
- Slack: Downloads any file of up to 50 MB.
- Zoom: Downloads any file of up to 30 MB.
- Twitter: Downloads any file of up to 25 MB.
- Google Hangouts: Downloads any file of up to 20 MB.
- LINE: Downloads any file of up to 20 MB.
- Discord: Downloads any file of up to 15 MB.
Response from Chat Apps on Issues with Link Previews
In response to the researchers’ report, different apps have responded differently.
For Facebook (tech giant behind Facebook Messenger and Instagram), the feature works as intended. According to their statement to Threatpost,
As we explained to the researcher weeks ago, these are not security vulnerabilities. The behavior described is how we show previews of a link on Messenger or how people can share a link on Instagram, and we don’t store that data. This is consistent with our data policy and terms of service.
LINE, a chat app offering end-to-end encryption, has simply updated the FAQ page to explain how previews work. Though, with versions 10.18.0 for Android and 10.16.1 for iOS, LINE no longer leaks IP addresses.
Slack confirmed caching the previews for around 30 minutes.
For LinkedIn and Instagram, the researchers could also exploit link previews for remote code execution attacks. The following videos demonstrate the attack.
For LinkedIn:
For Instagram:
However, LinkedIn told the researchers that their servers are sandboxed.
Moreover, Viber also exhibits data downloading practice for large files, despite implementing Approach 1 for link previews. Also, tapping on links involves Viber servers for fraud protection and ad personalization.
Besides, the researchers didn’t mention Telegram in their article. Yet, Telegram seems to use Approach 1, as elaborated on their site.
As for the apps with names redacted, perhaps, the researchers may disclose their names after the apps deploy a fix.
However, whether or not an app addresses this issue, this research has clearly shown how link previews threaten user privacy. Apart from the apps clearly using the safer approaches, users must remain careful while sharing sensitive documents, pictures, videos, and links to sensitive data while using chat apps.
Let us know your thoughts in the comments.