Researchers Talal Haj Bakry and Tommy Mysk discovered several cases of vulnerable apps that were leaking IP addresses, exposing links in end-to-end-encrypted chats, and silently downloading gigabytes of data without any need.
The Hidden Risks of Link Previews in Chat Apps
The researchers point out that link previews are a great example of how a simple feature can hide security risks. During their research, the team found several bugs in the way the feature is implemented in popular chat apps on Android and iOS.
The issue with link previews is that they may contain sensitive information that only recipients should see. This information may be contracts, medical records, or other confidential documents. In other words, apps that rely on servers to generate previews may be violating users’ privacy, the analysis notes.
So, which apps use link previews? Most chat apps use those, as the feature makes it easy to display a visual preview and a short description of the link. Some apps, such as Signal enable users to turn on or off link previews. Other apps, such as WeChat and TikTok don’t generate a link preview. Apps using link previews enable them in two ways – at the sender’s or recipient’s end or via an external server that is sent back to both chat sides.
Sender-side link previews are implemented in Apple iMessage, Signal (when enabled), Viber, and WhatsApp. These work by downloading the link, creating preview image and summary, and sending it to the recipient in the form of an attachment. When the other user receives the preview, it shows that message without the need to open the link.
This way, the user is protected from suspicious links. On the other hand, recipient-side link previews could allow threat actors to measure the user’s approximate location. This can happen without any action on the receiver’s side; all that needs to be done is sending a link to a server controlled by the threat actor.
How is this possible? When the chat app receives a message with a link, it opens the URL automatically to create the preview. However, this process discloses the device’s IP address in the request sent to the server. This issue is present in Reddit Chat, and another app which hasn’t been disclosed but is working on fixing the issue.
More technical details of how link previews can be threatening to our security is present in the researchers’ blog.