Link previews on social media apps risk privacy, drain battery: Report

While, according to the research, users of Facebook Messenger and Instagram can be the worst affected, Facebook told researchers that their app is working as intended

Link previews in messaging apps can drain the device’s battery, consumer large amounts of bandwidth and risk privacy of the chat, according to a report by security researchers Talal Haj Bakry and Tommy Mysk. Facebook Messenger and Instagram are the worst offenders, followed by LinkedIn and Line, added the report, which was released on October 25, 2020.

To show how this feature can be misused, researchers elaborate on the approaches to generate previews. The first approach is when the sender generates the preview. The link, when sent, is downloaded by the app, which creates a preview and summary. The information generated is then sent to the receiver with the link, and the receiver can view it without opening the link at all. Apps like Whatsapp, iMessage follow this approach.

While this method protects the receiver from malicious ware, another approach works on the receiver generating the link. Here, the app does not give the receiver an option of opening the link. When the user opens the chat, the link is downloaded. This approach compromises the user’s security as the links are generated by sending GET requests to the servers the links are connected to.

These requests require the IP addresses of users. Malicious links can easily cause harm to the users in this approach. Moreover, this approach can use up more battery and internet bytes, even if the user is unwilling. Reddit chat uses this approach, read the report.

Apps like Facebook Messenger, Instagram, Line and Discord, send the link to an external server, which generates a preview and sends it to both the sender and the receiver. While the approach doesn’t compromise IP details, the data users wish to keep private is compromised.

The links are stored on these external servers, risking private information such as Dropbox links. While some apps like Discord only download 15-20MB of the links, links sent through Facebook Messenger and Instagram are downloaded even if they are in gigabytes. Facebook downloads pictures and videos, Instagram downloads all data.

After the researchers reached out to a few apps informing them of the potential harms they might cause, Reddit fixed the problem, but Facebook replied claiming that this feature is working as intended for them. Both Instagram and Facebook messenger run JavaScript in the links, risking security of users again. While Line follows an external generated link approach, it gives the IP addresses of both users to the external server.


Please enter your comment!
Please enter your name here

Hot Topics

Related Articles