Researchers demonstrate how link previews in apps can expose data from users

- Advertisement -

Almost all popular messaging apps offer link previews, which let users know the content of a URL in advance. However, security researchers Talal Haj Bakry and Tommy Mysk have discovered that these link previews can expose user data in both iOS and Android apps.

When you send any link through a messaging app like Messenger, WhatsApp, and even iMessage, the app generates a preview of that link which usually contains an image, title, and sometimes a short text. Although this is an extremely useful feature, Bakry and Mysk have raised some privacy concerns about it.

Let’s take a step back and think about how a preview gets generated. How does the app know what to show in the summary? It must somehow automatically open the link to know what’s inside. But is that safe? What if the link contains malware? Or what if the link leads to a very large file that you wouldn’t want the app to download and use up your data?

Researchers explain that there are different ways to generate these previews and that some methods are more secure than others. iMessage and WhatsApp, for example, fetch the content of a URL right when you send it to someone else. This probably means that you know what is being shared, and also that the other person will get a preview generated by you.

Reddit and other apps, however, generate the preview on the receiver’s device. Once you receive a link in these apps, they open the URL in the background and then generate a preview link. In this method, an unknown person can send you a malicious link that collects data from your device such as the IP address of your phone — and consequently its approximate location.

However, there is a third approach that may actually put your personal data in danger. As researchers have pointed out, apps like Discord, Messenger, Instagram, and Twitter generate these link previews on a remote server instead of the sender and receiver devices. For users, that means these URL messages are not end-to-end encrypted, so anyone with access to these servers can view the chat content.

They also found out that some of these apps generate and download previews automatically, even if it’s a large file. Facebook Messenger, for instance, can download a file of up to 20MB without any user interaction — which seems unnecessary to show images and text. And, of course, that also means your personal files are stored on the servers of these companies without encryption since the previews are generated online.

So that secret design document that you shared a link to from your OneDrive, and you thought you had deleted because you no longer wanted to share it? There might be a copy of it on one of these link preview servers.

In one of their tests, researchers were able to obtain the IP addresses of the receivers by just sending links through these apps that automatically download the preview links. They also warn that in some cases, webpages can even run malicious Javascript code through these previews.

The team contacted the developers of the apps mentioned in the article to check how they plan to make link previews more secure. Until then, you can check the full research in detail on Mysk’s blog.

FTC: We use income earning auto affiliate links. More.


Check out 9to5Mac on YouTube for more Apple news:

Thanks to Source

- Advertisement -
- Advertisement -

Must Read

Samsung The Frame 4K UHD TV review: Refining the art of wall-art TV

The Frame TV brings fine decor and art to your wall. It's excellent in that role, though it doesn't deliver Samsung's very best motion video technology. Samsung Today's Best Tech Deals Picked by TechHive's Editors Top Deals On Great Products Picked by Techconnect's Editors Samsung The Frame 4K UHD TV If  you’re looking for the…

Red Bull Racing has a secret weapon for Formula One racers: Sleep

Jeremy Kaplan/Digital TrendsTo the uninitiated, Formula One racing is like any other car race. High-speed laps around a track? Sure, I’ve seen that. But dig below the surface and the extreme nature of the sport reveals itself: The tension, the danger, the extreme physical stamina needed to keep a car on a track at speeds…

Xiaomi Mi 10T Lite 5G in for review

The Xiaomi Mi 10T Lite 5G has arrived at our office and we are gearing up to put it through our review gauntlet to find out if it's worth your money. The Mi 10T Lite 5G comes in Pearl Gray, Atlantic Blue and Rose Gold Beach colors, and we've received the gray variant, with the…

Latest News

Samsung The Frame 4K UHD TV review: Refining the art of wall-art TV

The Frame TV brings fine decor and art to your wall. It's excellent in that role, though it doesn't deliver Samsung's very best motion video technology. Samsung Today's Best Tech Deals Picked by TechHive's Editors Top Deals On Great Products Picked by Techconnect's Editors Samsung The Frame 4K UHD TV If  you’re looking for the…