Link previews in apps leak user location & IP. WhatsApp, Discord, FB, Twitter, Google, IG, LinkedIn, Slack, & Zoom affected

Talal Haj Bakry and Tommy Mysk, cybersecurity researchers, have published reports on some security risks that could occur in previews of links sent across all kinds of online platforms.

According to experts, these flaws could affect users of Facebook, Instagram, WhatsApp, Discord, Twitter, LinkedIn, Slack and Zoom, generating IP address leaking, exposure of links sent in chats with end-to-end encryption, unnecessary download of data in the background, among other unusual behaviors.

La imagen tiene un atributo ALT vacío; su nombre de archivo es linkpreview01.jpg

These applications use a very specific approach to handling this data, which involves sending the binding in question to an external server on which the preview is generated. This server sends the preview to the sender and receiver, so it requires a copy of the information contained in the link to generate the preview.

La imagen tiene un atributo ALT vacío; su nombre de archivo es linkpreview02.jpg

Researchers argue that this approach could be detrimental to user privacy, as the information contained in the link may contain sensitive data only for the recipient of the message, whether invoices, medical records, among other data.

Some applications have limitations on the amount of data collected and stored. However, popular apps like Instagram and Facebook Messenger have no limitations, so it is possible to download links up to 2 GB on various Facebook servers.  

Several platforms like Slack have already taken action, setting a download limit of 50 MB, while LinkedIn has limited it to 30 MB. Still, the researchers point out those threat actors could get information from these links if they manage to compromise the platforms.

An approach that could prevent this behavior requires a summary and image to be downloaded from the website to which the link redirects. When the application on the receiving end receives the message, it will display the preview as sent by the sender without having to open the link at all. In this way, the receiver would be protected against risks if the link is malicious. This approach assumes that whoever sends the link must trust it, because it will be the sender’s application that will have to open the link.