Messenger apps: a security nightmare for SecOps

Messenger apps: a security nightmare for SecOps
Messenger apps: a security nightmare for SecOps
Many messaging apps link the preview insecurely. Two well-known Infosec researchers came to this conclusion this week.

The worst are Facebooks Messenger and Instagram as well as LINE. Shocking i know Discord, LinkedIn, Slack and Zoom are also heavily criticized.

In some cases, Link previews even break E2EE. Other services are actually running untrusted JavaScript on their servers!

I know right? In this week Blogwatch securitylet’s return to semaphore and smoke signals.

Your humble blogwatcher has curated these blogging parts for your entertainment. Not to mention: Is Amazon lying to you?

Crouching function; hidden threat

What is the madness, Zac? Mr Doffman reports –Why you should stop using your Messenger app:

Everything you send through Messenger is transmitted through Facebook servers that it has access to. … Facebook “spies” on this content. [It] downloads your private content to its own server without warning.

The team behind the report is in good shape holding key technology platforms accountable for security reasons. Tommy Mysk and Talal Haj Bakry … first examined how various messaging platforms deal with so-called “link previews”. … The most important encrypted end-to-end messengers, including WhatsApp and iMessage, generate a link preview on the sender page. [which] is a pretty safe safety bet.

The opposite approach is the recipient-side link preview – and that is dangerous. … it could reveal your IP address, [which] presents an attack vector for detecting target locations.

The last option [is] Preview of server-side links, [which] is a potential security nightmare. … A number of messaging platforms are taking this approach – including Facebook Messenger and Stablemate Instagram, LinkedIn, Slack, Twitter, Zoom and Google Hangouts. However, only the platforms of Facebook were seen [downloading] massive files that are larger than the size required for previewing.

And Dan Goodin adds:Link previews offer convenience. They can also compromise privacy or security:

Link Preview … facilitate online conversations by providing images and text for the file to be linked. … Unfortunately, you can also lose our sensitive data.

The app itself – or a proxy named by the app – needs to visit the link, open the file there and check what’s in it. This can open users up to attack. … Most messaging apps get things right. For example, Signal, Threema, TikTok and WeChat offer users the option of not receiving a link preview.

Researchers, Talal Haj Bakry and Tommy Mysk declare themselves –How a simple function can pose privacy and security risks:

Link previews are a good case study of how a simple function can pose privacy and security risks. … For developers, there’s a big advantage here: when creating a new feature, always keep in mind the privacy and security implications it can have, especially if that feature is being used by thousands or even millions of people in the world .

When the LINE app opens an encrypted message and finds a link, it sends that link to a LINE server to generate the preview. … This defeats the purpose of end-to-end encryption.

Most websites these days contain Javascript code. … Instagram and LinkedIn … trust code included in all random links shared in chats. … We were able to confirm that we had at least 20 seconds of execution time on these servers. It may not sound like much … but hackers can be creative.

Instagram [and] Facebook Messenger downloads entire files … even files as large as gigabytes. … They told us that they consider this to be intended:

Slightly depressing? OrangeTide swears quickly:

It has been over 30 years since the specifications for IRC and Zephyr were created. And yet, no one can commit to a standard or make something that is not fully marketed, impossible to use, or subtly unsafe.

In other areas – computer graphics, networking, parallel processing, neural networks, and even word processing – amazing advances have been made over the same period. Messaging is a trivial problem technically, but no one can figure out exactly how to make money from it.

Here is an emission from Tygornwho is on a mission. [You’re fired—Ed.]

I’ve switched people to Signal from many apps in this story for years. I will send this story to each of them to reiterate why I pursued them so persistently to make the switch. This should also make it easier for me to convert more holdouts.

And that’s not a theoretical threat how ArPe Remarks:

Scammers and hackers working for various dictatorships send links and link previews to people in apps like Instagram and TikTok. According to my research, questions about these links are not sent entirely randomly. They target people who want to hack, cheat, or frame them for political or financial reasons.

The social media platforms don’t care. At all. Not a little. It would be very easy to make it so that fake accounts can’t send messages unless they have a number of real connections that they have real and natural reactions to. It should also be easy to remove your contact button from strangers, but you can’t do that on IG even if you set your account to private.

But what about responsible disclosure? Listen expert rant:

Two app names have been edited, I assume one is Telegram as it is a big player that is not listed there. The author says it will be edited because the issues have been reported to the developers and will be corrected.

In order to Tommy Mysk clarifies and classifies:

We tested a lot of apps, but we kind of missed Telegram in our last description. I can tell you how it goes:

In normal chats, Telegram generates link previews on the server side. The server downloads up to 20MB of any file.

In secret chats… end-to-end encrypted, Telegram asks the user to activate the link preview function. If activated, the sender generates the link preview and sends it as an attachment to the recipient.

Meanwhile, Nylonstahl climbs this song

Parents used to worry that children could play records backwards to get satanic messages. Today we have to take care of data security in everything.

The moral of the story?

DevOps: The coolest features can have nasty security implications.
SecOps: Do your employees share confidential company information with insecure apps?

And finally

“Amazon: lying to you”

Previously in “And Finally”

You have read Blogwatch security by Richi Jennings. Richi curates the best blog parts, the best forums, and the weirdest websites. So you don’t have to. Hate mail can be addressed to @ RiCHi or [email protected] Ask your doctor before reading. Your mileage may vary. E & OE. 30th

This week’s zoom sauce: NeONBRAND (via Unsplash)

Keep learning

These were the details of the news Messenger apps: a security nightmare for SecOps for this day. We hope that we have succeeded by giving you the full details and information. To follow all our news, you can subscribe to the alerts system or to one of our different systems to provide you with all that is new.

It is also worth noting that the original news has been published and is available at and the editorial team at AlKhaleej Today has confirmed it and it has been modified, and it may have been completely transferred or quoted from it and you can read and follow this news from its main source.