Research shows which couriers are leaking your data, running out of battery and more


Standard photo of a person using a smartphone.

Link views are a ubiquitous feature that can be found in almost all chat and messaging apps, and it’s reasonable. They facilitate online chats by providing images and text linked to a linked file.

Unfortunately, they can also leak our sensitive data, consume limited bandwidth, drain batteries, and, in one case, reveal chat links that should be end-to-end encrypted. Among the worst offenders, he said studies released on Mondaythere were speakers from Facebook, Instagram, LinkedIn and Line. More on that soon. First, a brief review discussion.

When the sender includes a link in the message, the app will display the conversation along with the text (usually the header) and images that accompany the link. It usually looks something like this:

For this to happen, the program itself or a proxy server designated by it must visit the link, open the file there, and examine what is in it. This can open users to attacks. The hardest are those who can download malware. Other forms of malware can force a program to download such large files that the program crashes, drains batteries, or consumes a limited amount of bandwidth. And if the link leads to private material — say, a tax return posted to a private OneDrive or DropBox account — the application server has the ability to view and store it indefinitely.

Researchers Talal Hay Bakry and Tommy Mysk, who participated in Monday’s report, found Facebook Messenger and Instagram were the worst offenders. As shown in the diagram below, both programs download and copy the entire linked file, even if it is gigabytes in size. Again, this can be a concern if file users want to keep private.

Link views: Instagram servers download any link sent in instant messages, even if it is 2.6 GB

This is also problematic because applications can consume huge amounts of bandwidth and battery. Both programs also use any JavaScript in the link. This is a problem because users do not have the ability to check JavaScript security and cannot expect messengers to have the same exploit protection that modern browsers have.

Link views: How hackers can run any JavaScript code on Instagram servers.

LinkedIn turned out just a little better. The only difference was that instead of copying files of any size, they only copied the first 50 megabytes. Haj Bakry and Mysk reported their findings to Facebook, and the company said both programs are working as intended.

Meanwhile, when Line opens an encrypted message and finds the link, it appears to be sending a link to the Line server to generate a preview. “We don’t think that’s in line with the goal of full encryption, because LINE servers know all about the links that are sent through the program and who they share links with,” wrote Haj Bakry and Mysk.

Discord, Google Hangouts, Slack, Twitter, and Zoom also copy files, but they limit the amount of data from 15 MB to 50 MB. The chart below provides a comparison of each study program.

Talal Haj Bakry and Tommy Mysk

Overall, the research is good news as it shows that most correspondence programs are handled properly. For example, Signal, Threema, TikTok, and WeChat allow users to not view any links. This is the best setting for sensitive messages and users who want as much privacy as possible. Even if reviews are submitted, these programs use fairly secure means to submit them.

Like it? Share with your friends!


What's Your Reaction?

hate hate
confused confused
fail fail
fun fun
geeky geeky
love love
lol lol
omg omg
win win


Your email address will not be published. Required fields are marked *