Link views are a ubiquitous feature that can be found in almost all chat and messaging apps, and it’s reasonable. They facilitate online chats by providing images and text linked to a linked file.
Unfortunately, they can also leak our sensitive data, consume limited bandwidth, drain batteries, and, in one case, reveal chat links that should be end-to-end encrypted. Among the worst offenders, he said studies released on Mondaythere were speakers from Facebook, Instagram, LinkedIn and Line. More on that soon. First, a brief review discussion.
When the sender includes a link in the message, the app will display the conversation along with the text (usually the header) and images that accompany the link. It usually looks something like this:
For this to happen, the program itself or a proxy server designated by it must visit the link, open the file there, and examine what is in it. This can open users to attacks. The hardest are those who can download malware. Other forms of malware can force a program to download such large files that the program crashes, drains batteries, or consumes a limited amount of bandwidth. And if the link leads to private material — say, a tax return posted to a private OneDrive or DropBox account — the application server has the ability to view and store it indefinitely.
Researchers Talal Hay Bakry and Tommy Mysk, who participated in Monday’s report, found Facebook Messenger and Instagram were the worst offenders. As shown in the diagram below, both programs download and copy the entire linked file, even if it is gigabytes in size. Again, this can be a concern if file users want to keep private.
LinkedIn turned out just a little better. The only difference was that instead of copying files of any size, they only copied the first 50 megabytes. Haj Bakry and Mysk reported their findings to Facebook, and the company said both programs are working as intended.
Meanwhile, when Line opens an encrypted message and finds the link, it appears to be sending a link to the Line server to generate a preview. “We don’t think that’s in line with the goal of full encryption, because LINE servers know all about the links that are sent through the program and who they share links with,” wrote Haj Bakry and Mysk.
Discord, Google Hangouts, Slack, Twitter, and Zoom also copy files, but they limit the amount of data from 15 MB to 50 MB. The chart below provides a comparison of each study program.
Overall, the research is good news as it shows that most correspondence programs are handled properly. For example, Signal, Threema, TikTok, and WeChat allow users to not view any links. This is the best setting for sensitive messages and users who want as much privacy as possible. Even if reviews are submitted, these programs use fairly secure means to submit them.