Why you shouldn’t use your Facebook Messenger app anymore

If you are among the over a billion people who use Facebook Messenger, consider switching to an alternative. Unlike its Facebook counterpart WhatsApp, Messenger lacks the critical security required to keep your content safe from prying eyes. Everything you send through Messenger is transmitted through Facebook servers that it has access to. We know Facebook “Spies“To make sure you are following the rules, a new safety report also claims it Downloads Your private content is stored on your own servers without warning.

The team behind the report is in good shape to hold key technology platforms accountable for security reasons. Tommy Mysk and Talal Haj Bakry moved Apple to the clipboard access warnings which are such a famous part of iOS 14. their research caught too TikTok reads Apple users’ clipboards at random, Part of the technical backlash that ultimately led to US action against the Chinese viral platform.

Mysk and Haj Bakry initially set out to investigate how different messaging platforms deal with so-called “link previews”. When you send a link to a website, news article, or other online content – including private documents – the recipient of your message will often see a preview of that content. This of course requires that the link be followed somewhere and somehow and that its data be returned. However, the way in which this is done is critical. Get it wrong and messaging platforms can access private data, download personal information to their servers, and even disclose user locations.

“We think link previews are a good case study of how a simple feature can pose privacy and security risks,” the team says in their report. exhibited today. While Mysk and Haj Bakry found that a number of messaging platforms risk no risk previews at all – ironically, TikTok and WeChat, the major end-to-end encrypted messengers, including WhatsApp and iMessage, generate link previews on the sender side. “When you send a link, [your own messaging] App will go and download what’s in the link. A summary and a preview image of the website will be created and sent as an attachment along with the link. “Uber-Secure Signal offers the option of deactivating or using the sender-side link preview.

This type of link preview is a pretty safe bet, the researchers explain. “The recipient would be protected from risk if the link was malicious. This approach assumes that anyone who sends the link has to trust it because the sender’s app needs to open the link. “

The opposite approach is the recipient-side link preview – and that is dangerous. This means anyone can send you a malicious link that your device might automatically follow to download malware, or reveal your IP address and your location. This represents an attack vector to discover target locations. Mysk and Haj Bakry only found two messengers who took this approach. Both address the vulnerability. Only one was a mainstream messenger – his identity won’t be revealed until a fix is ​​released.

This brings us to the last option, the Facebook Messenger approach – server-side link preview. The report says, “When you send a link, the app first sends it to an external server and asks it to preview it. The server then sends the preview back to the sender and recipient. ”However, this is a potential security nightmare. “Facebook Messenger doesn’t offer any link previews at all in its secret conversations, which are encrypted throughout,” Mysk told me. “All of the vulnerabilities that we discovered in Facebook Messenger occur in normal chats. This kind of shows that Facebook is admitting that the way link previews are handled in normal chats can compromise user privacy. “

As the researchers explain in their report, “Links shared in chats may contain private information intended only for the recipients. This could be bills, contracts, medical records or anything that could be confidential … Although these servers are trusted by the app, there is no indication to users that the servers are downloading anything they can find in a link. Are the servers downloading whole files or just a small amount to preview? When downloading entire files, do the servers keep a copy, and if so, how long? And are these copies stored securely, or can the people who run the servers access the copies? “

This goes well beyond links to public domain websites. “Suppose you sent someone a private Dropbox link,” warn Mysk and Haj Bakry, “and you don’t want to someone otherwise to see what’s inside. With this approach, the server must make a copy (or at least a partial copy) of the content of the link in order to generate the preview. That secret design document that you shared a link to from your OneDrive and you thought you deleted it because you didn’t want to share it anymore? A copy of this may be on one of these link preview servers. “

A number of messaging platforms are taking this approach – including Facebook Messenger and Stablemate Instagram, LinkedIn, Slack, Twitter, Zoom, and Google Hangouts. However, only Facebook platforms have been seen downloading massive files beyond the size required for preview. While others paused at 20 to 50 MB, the researchers saw Facebook download a 2.6 GB file to its servers. “The moment the link was sent, several Facebook servers immediately started downloading the file from our server … 24.7 GB of data was downloaded from our server by Facebook servers … It is still unclear to us why Facebook servers would do this when all the other apps were running out of data limit would be downloaded. ”

According to Mysk, “the servers need to open the links and download what’s there. This information is not shared with users who may send links to private information, such as: B. a private link to a PDF document. While users believe they are in a private area, the apps in the chat send exchanged information to external servers without the users noticing. These external servers are run by the app operator, but receive a copy of the data released in the link. ”

Facebook at least limits its unlimited downloads to media files – Instagram seems to download any size of any type of file. But remember, Instagram and Messenger are currently being integrated. So it’s worth considering them the same in terms of security.

While this issue is not limited to Facebook Messenger, it is the only mainstream messenger tested that uses this approach with private user data regardless of file size. Most of the other platforms that use this type of link preview are not dedicated messengers as such, but rather providers of DMs within other services. For example, few people trust Twitter DMs to send large private attachments that have nothing to do with the app.

The researchers also said they found that Instagram would even execute code if there was a link to its servers there. They claim that sending a malicious JavaScript code link on an Instagram DM would cause Facebook’s servers to execute the code. “We showed [Facebook] that an attacker could execute any JavaScript code on their servers by sending links to a malicious website owned by the attacker, ”Mysk explained. “They rejected this case on the grounds that they had anti-abuse mechanisms in place to stop malicious individuals.”

For users of these messaging platforms, the key to success is clear and simple. If you’re sending something private or personal, make sure you’re using an end-to-end encrypted platform. This should show how easy it is for a platform that only offers app server encryption to access your content. But then we already know that Facebook reads unencrypted content – the only surprise is that it is downloaded onto its own servers.

In response to the new report, Facebook said to me, “These are not security holes. The behavior described is how we preview a link in Messenger or how people can share a link on Instagram and we do not save this data. This is in line with our data policy and terms of use. “The company also informed me that additional security measures were in place behind the scenes to protect against remote code execution attacks – although Mysk and Haj Bakry claim they have shown such a code execution vulnerability in action. Regarding privacy concerns, Facebook acknowledged that monitoring unencrypted chats is now in the public domain.

Facebook itself is one of the top advocates of end-to-end encryption in the world. Secret conversations were started via messenger to reduce the risk of compromising with one’s own infrastructure. For technical reasons, however, this cannot be set as the standard. Facebook is also a leading defender of encryption used by WhatsApp messenger staff. The explanation of why you need end-to-end encryption sums it up perfectly. “Some of your most personal moments are shared on WhatsApp. That is why we have integrated end-to-end encryption into our app. With end-to-end encryption, messages, photos, videos, voice messages, documents, and calls can’t get into the wrong hands. ”

This new report shows what it all means in practice. So if you’re sticking to a poorly secured messaging platform, including Facebook Messenger or, worse, SMS, now is the time to switch. WhatsApp remains a great choice for everyday use with a huge user base and all the features you need regardless of Facebook’s monetization offensive. But there are clearly safer options if you want to escape Facebook altogether.

“Apps that generate link previews on servers can lose the content of links,” warns Mysk. “If the leaked content is classified as personal, then personal user data is definitely at risk. It is unclear how long such servers store the data and whether these servers store the data securely or adhere to the same privacy policy as stated in the app. Since Facebook didn’t answer any of these privacy concerns, I wouldn’t send links to private information in such apps. If you want to be on the safe side, just switch to a fully encrypted app. ”