Facebook Messenger, Instagram, Twitter can make data available via link preview:...

Facebook Messenger, Instagram, Twitter can make data available via link preview:...
Facebook Messenger, Instagram, Twitter can make data available via link preview:...
Security researchers Talal Haj Bakry and Tommy Mysk have published a blog post describing the security risks that link previews can pose. Almost all messaging apps offer a preview of the links. These researchers have stated that this feature can present a serious privacy breach if not handled properly. They detailed how Instagram and Messenger have serious loopholes that need to be addressed. In their case study, they found several flaws such as IP address leakage, exposing links sent in end-to-end encrypted chats, and unnecessarily downloading gigabytes of data in the background.

In a blog post, Mysk and Bakry describe how chat apps use different approaches to generate link previews. They detailed how Reddit generates link previews by automatically opening the link even before you tap on it. Users only need to see this message on Reddit to trigger this backend programming. This approach can lead to malicious attackers getting your IP address which indirectly leads to your location details. The report says that Reddit fixed this issue after the researchers contacted them.

Apps like Discord, Facebook Messenger, Google Hangouts, Instagram, Line, LinkedIn, Slack, Twitter, and Zoom use a different approach where the link is sent to an external server for a preview. The server sends the preview back to both the sender and the recipient. This approach requires the server to make a copy of the link in order to generate the preview. This copy can be saved on the server and later misused.

This approach could violate the privacy of their users by sending shared links to their servers in a private chat. These links may contain private information intended only for the recipients. These can be bills, contracts, medical records, or anything that can be confidential. The conduction app has been found to send end-to-end encrypted (e2ee) links to servers to generate previews, which completely defeats the purpose of e2ee.

While some apps have restrictions on the amount of data collected and stored, Instagram and Facebook Messenger have no restrictions and can download anything regardless of size. The researchers show that Instagram was able to download a 2.7GB link on multiple Facebook servers. This link was downloaded on eight Facebook servers, and approximately 24.7GB of data was downloaded from just that one link that was shared on Instagram. This is alarming as most apps have download restrictions. Both Facebook and Instagram have not yet responded to this researcher’s announcement.

Slack has a download limit of 50MB, while LinkedIn has limited it to 30MB. Despite these limitations, a data breach can occur if these servers are hacked. The researchers mention that WhatsApp, Signal, iMessage, and Viber use an aggregable approach where the app downloads the content of the link. She creates a summary and a preview image of the website and sends them as an attachment along with the link. On the receiving end, when the app receives the message, it shows the preview as received from the sender without opening the link. That way, the recipient is protected from risk if the link is malicious. This approach assumes that anyone who sends the link has to trust it because the sender’s app needs to open the link. “The approach most apps use to send links to servers can be abused by threat actors to execute potentially malicious code in the link preview. WeChat, Threema, and TikTok don’t generate any link previews at all, and even Signal has the option to turn them off if you choose to.

These were the details of the news Facebook Messenger, Instagram, Twitter can make data available via link preview:... for this day. We hope that we have succeeded by giving you the full details and information. To follow all our news, you can subscribe to the alerts system or to one of our different systems to provide you with all that is new.

It is also worth noting that the original news has been published and is available at de24.news and the editorial team at AlKhaleej Today has confirmed it and it has been modified, and it may have been completely transferred or quoted from it and you can read and follow this news from its main source.