Have you noticed how a link that’s been sent on messaging apps like Messenger, WhatsApp or iMessage generates the inherent image, headline and most of the times a short descriptive text? The feature is extremely useful as it allows you to get an idea of what the particular link is about even before opening it. Then you can either ignore it or if it’s intriguing, proceed to check out the complete details. That said, this feature comes with its own set of privacy concerns as discovered by security researchers Talal Haj Bakry and Tommy Mysk.
According to these experts, hackers can use link previews to exploit user data on Android as well as iOS devices. In the background when the link is processed by the app automatically – for example, a Reddit link – an attacker can collect sensitive data like IP address.
In case of apps like Zoom, Instagram, Messenger or Twitter the link is generated on remote servers which are not end-to-end encrypted. This exposes chat content to anyone who has access to the servers. This poses a higher risk for apps like Zoom that are used for sharing sensitive personal content. Apps currently that do not generate previews at all are TikTok and WeChat.
Another worrying issue is the automatic generation and download of the preview of a large file. For example, Messenger can download a 20MB file for the preview without user consent. In some cases, malicious code scripts can also be run in the background with preview links.
The duo performed experiments and was able to access the IP addresses by sending the links via such apps. Now that the findings are in the open, app developers need to full proof link preview feature for user data security.