Facebook and Instagram's 'link preview feature' puts you at risk of malware, crashing apps and wasting battery power
Many messaging apps and chat apps have a function called 'link preview' that displays only a part of the text and images contained in the pasted URL page in order to facilitate conversation. However, it has been pointed out that this link preview increases the risk of wasting the battery of the smartphone, crashing the application, and getting infected with malware.
Link Previews: How a Simple Feature Can Have Privacy and Security Risks | Mysk
Study shows which messengers leak your data, drain your battery, and more | Ars Technica
https://arstechnica.com/information-technology/2020/10/study-shows-which-messengers-leak-your-data-drain-your-battery-and-more/
Link preview refers to the function that automatically displays the page title and image included in the URL page when the URL of the article that the user wants to mention is pasted in the app as shown below.
While link previews like this facilitate online conversations, new research shows that in-app link previews such as Facebook Messenger, Instagram, LinkedIn, and LINE can put users at risk. Shown.
In order for the link preview to be realized, the app needs to access the page of the URL pasted by the user, open the file, and investigate the contents. However, in the process of this investigation, there is a risk that malware will be downloaded, huge files will be downloaded and the application will crash, and the battery and limited bandwidth will be consumed.
You can see how app developers Talal Haj Bakry and Tommy Mysk sent a huge 2.6GB file via Facebook Messenger and Instagram in the movie below. This caused the app to consume a lot of battery and bandwidth. Also, since the file will be stored on the Facebook Messenger server, there is a privacy issue if the file is personal.
The part surrounded by the red frame is the link preview, but because the file is huge, the image part is displayed in black.
When it was confirmed how the app was processing the file ...
Eight or more servers were downloading 2.6GB files each. It has been confirmed that multiple servers downloaded a total of 24.7GB over an hour.
Also, if JavaScript code is included, malicious code may be loaded through the link preview. Most browsers have security protection, but apps like Facebook Messenger and Instagram don't have the same protection.
The following is an experiment on how the link preview handles JavaScript.
Link Previews: How hackers can run any JavaScript code on Instagram servers --YouTube
When Haj Bakery and Mysk contacted their respective app developers with the results of the experiment, they said that they received a response from Facebook Messenger and Instagram that it was 'the intended function.' On the other hand, LinkedIn seems to have improved performance by copying and downloading only the first 50 megabytes.
It has also been reported that LINE sent a link to LINE's server to create a preview. 'LINE's servers know through the app what the link is and who shares the link with whom, and we believe this defeats the purpose of end-to-end encryption,' Mysk said. Mr. says.
In addition, Discord, Google Hangouts, Slack, Twitter, Zoom, etc. copy files, but the file size was limited to 15 to 50 MB.
The following is a table summarizing the features of the chat / message app. The name of each app on the column label and the row label from the left are 'end-to-end encryption', 'unauthorized copy of private information', 'whether the server downloads a huge file', 'link preview allows the app to 'Does it crash or drain the battery?' 'IP exposure' 'Encrypted link leak' 'Danger of malicious code running on the link preview server'. In addition, since the black part at the bottom is the application being modified at the time of article creation, it will be released after modification.
'Link previews are generally a great feature that users will benefit from, but we've shown in this study that if you're not careful about privacy and security, you'll run into problems,' Haj Bakry said. Said Mysk.
Related Posts: