Link previews could lead to security vulnerabilities — Here’s how

Almost every popular app has the link preview feature, but what exactly are link previews?

Ever noticed when you send a link on WhatsApp, Discord, Facebook Messenger or any other chat app, the app shows a preview of the message? That’s a link preview.

It’s a convenient and helpful feature for users as there is no need to open the link. Well, this convenient and helpful feature can leak IP addresses, expose links sent in end-to-end encryption chats and download huge amounts of data without users consent.

This according to a new report published by independent security researchers Talal Haj Bakery and Tommy Musk. There are three ways in which a link preview can be generated;

  • Sender Generated Link
  • Receiver Generated Link
  • Server Generated Link

In this method, when a link is sent, the app downloads the contents of the link. It then creates a summary and preview image of the website. It also sends this as an attachment, combined with the link.

The app on the receiving side gets the message and it displays the preview to the user as it received it from the sender without having to open the link. This protects the receiver from a link that might contain malicious content.

When you receive a link, your app automatically opens the link as this is one of the steps in creating a preview. Furthermore, the app connects to the server the link leads to and asks the server what is inside the link. This is known as the GET method.

The app needs to get information from the server, but before the server replies with any information, it should know were it is sending the reply to. So, the app also adds the mobile devices’ IP address; this is known as the destination IP address.

An IP address can also compromise your location to an attacker without you being aware of what is going on. The report further explains:

“What if an attacker wants to know your approximate location without you noticing, down to the block? If you are using an app that follows this approach, all the attacker would have to do is send you a link to their own server where it can record your IP address”.

When a user sends a link, the app first sends the link to an external server asking it to generate a preview. The server then sends the preview back to both the receiver and sender.

In addition, IP addresses are not compromised in this method as neither the sender or the receiver will have to open the link.

But say for example a private link is being sent. The server needs to make a copy, be it a complete or partial copy of what the link contains to generate a preview. When dealing with servers, questions are always asked:

  • Do these servers keep copies?
  • If yes how long?
  • And apart from generating a preview, what else do these servers do with the information it copied?

To generate a copy, the servers must download whatever is in the link.

“Links shared in chats may contain private information intended only for recipients. This could be bills, contracts, medical records or anything that may be confidential. Apps that rely on servers to generate link previews may be violating the privacy of their users by sending links shared in a private chat to their servers”.

Examples of apps that use this method are:

  • Twitter
  • Instagram
  • Discord
  • Google Hangouts
  • LinkedIn
  • Facebook Messenger.

The two researchers also added their tests and findings on the report, of apps and their servers and how much data is downloaded:

  • Instagram – The server downloads anything no matter the size
  • Discord – The server downloads up to 15 MB of any kind of file.
  • Google Hangouts – Downloads up to 50 MB of any file size
  • Facebook Messenger – Downloads entire files, even a 1-gigabyte file
  • Twitter – Downloads up to 25 MB of any kind of file

Also read: SA, Kenya and Nigeria report highest cyber attacks in Africa

DMCA.com Protection Status

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *