Link previews in messaging apps can drain the device’s battery, consumer large amounts of bandwidth and risk privacy of the chat, according to a report by security researchers Talal Haj Bakry and Tommy Mysk. Facebook Messenger and Instagram are the worst offenders, followed by LinkedIn and Line, added the report, which was released on October 25, 2020.
To show how this feature can be misused, researchers elaborate on the approaches to generate previews. The first approach is when the sender generates the preview. The link, when sent, is downloaded by the app, which creates a preview and summary. The information generated is then sent to the receiver with the link, and the receiver can view it without opening the link at all. Apps like Whatsapp, iMessage follow this approach.
While this method protects the receiver from malicious ware, another approach works on the receiver generating the link. Here, the app does not give the receiver an option of opening the link. When the user opens the chat, the link is downloaded. This approach compromises the user’s security as the links are generated by sending GET requests to the servers the links are connected to.
These requests require the IP addresses of users. Malicious links can easily cause harm to the users in this approach. Moreover, this approach can use up more battery and internet bytes, even if the user is unwilling. Reddit chat uses this approach, read the report.
Apps like Facebook Messenger, Instagram, Line and Discord, send the link to an external server, which generates a preview and sends it to both the sender and the receiver. While the approach doesn’t compromise IP details, the data users wish to keep private is compromised.
The links are stored on these external servers, risking private information such as Dropbox links. While some apps like Discord only download 15-20MB of the links, links sent through Facebook Messenger and Instagram are downloaded even if they are in gigabytes. Facebook downloads pictures and videos, Instagram downloads all data.