Monday, April 12, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Privacy

Experts Warn of Privacy Risks Caused by Link Previews in Messaging Apps

October 26, 2020
in Internet Privacy
Experts Warn of Privacy Risks Caused by Link Previews in Messaging Apps
587
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Cybersecurity researchers over the weekend disclosed new security risks associated with link previews in popular messaging apps that cause the services to leak IP addresses, expose links sent via end-to-end encrypted chats, and even unnecessarily download gigabytes of data stealthily in the background.

“Links shared in chats may contain private information intended only for the recipients,” researchers Talal Haj Bakry and Tommy Mysk said.

You might also like

Hackers Tampered With APKPure Store to Distribute Malware Apps

[WHITEPAPER] How to Achieve CMMC Security Compliance for Your Business

Alert — There’s A New Malware Out There Snatching Users’ Passwords

“This could be bills, contracts, medical records, or anything that may be confidential.”

“Apps that rely on servers to generate link previews may be violating the privacy of their users by sending links shared in a private chat to their servers.”

Generating Link Previews at the Sender/Receiver Side

Link previews are a common feature in most chat apps, making it easy to display a visual preview and a brief description of the shared link.

Although apps like Signal and Wire give users the option to turn on/off link previews, a few others like Threema, TikTok, and WeChat don’t generate a link preview at all.

The apps that do generate the previews do so either at the sender’s end or the recipient’s end or using an external server that’s then sent back to both the sender and receiver.

Sender-side link previews — used in Apple iMessage, Signal (if the setting is on), Viber, and Facebook’s WhatsApp — works by downloading the link, followed by creating the preview image and summary, which is then sent to the recipient as an attachment. When the app on the other end receives the preview, it displays the message without opening the link, thus protecting the user from malicious links.

“This approach assumes that whoever is sending the link must trust it, since it’ll be the sender’s app that will have to open the link,” the researchers said.

In contrast, link previews generated on the recipient side opens the door to new risks that permits a bad actor to gauge their approximate location without any action taken by the receiver by simply sending a link to a server under their control.

This happens because the messaging app, upon receiving a message with a link, opens the URL automatically to create the preview by disclosing the phone’s IP address in the request sent to the server.

Reddit Chat and an undisclosed app, which is “in the process of fixing the issue,” were found to follow this approach, per the researchers.

Using an External Server to Generate Link Previews

Lastly, the use of an external server to generate previews, while preventing the IP address leakage problem, creates new issues: Does the server used to generate the preview retain a copy, and if so, for how long, and what do they use it for?

mobile messaging apps

Several apps, counting Discord, Facebook Messenger, Google Hangouts, Instagram, LINE, LinkedIn, Slack, Twitter, and Zoom, fall into this category, with no indication to users that “the servers are downloading whatever they find in a link.”

Testing these apps revealed that except for Facebook Messenger and Instagram, all others imposed a 15-50 MB cap when it comes to the files downloaded by their respective servers. Slack, for instance, caches link previews for around 30 minutes.

The outliers, Facebook Messenger and Instagram, were found to download entire files, even if they ran into gigabytes in size (such as a 2.6GB file), which according to Facebook, is an intended feature.

Even then, the researchers warn, this could be a “privacy nightmare” if the servers do retain a copy and “there’s ever a data breach of these servers.”

What’s more, despite LINE’s end-to-end encryption (E2EE) feature designed to prevent third-parties from eavesdropping on conversations, the app’s reliance on an external server to generate link previews allows “the LINE servers [to] know all about the links that are being sent through the app, and who’s sharing which links to whom.”

LINK has since updated its FAQ to reflect that “in order to generate URL previews, links shared in chats are also sent to LINE’s servers.”

In a separate case, the researchers also discovered it was possible to potentially execute malicious code link preview servers, resulting in a JavaScript code link shared on Instagram or LinkedIn to cause their servers to run the code.

“We tested this by sending a link to a website on our server which contained JavaScript code that simply made a callback to our server,” they said. “We were able to confirm that we had at least 20 seconds of execution time on these servers.”

Keeping in Mind the Privacy and Security Implications

Bakry and Mysk have previously exposed flaws in TikTok that made it possible for attackers to display forged videos, including those from verified accounts, by redirecting the app to a fake server hosting a collection of forged videos. Earlier this March, the duo also uncovered a troubling privacy grab by over four dozen iOS apps that were found to access users’ clipboards without users’ explicit permission.

The development led Apple to introduce a new setting in iOS 14 that alerts users every time an app tries to copy clipboard information, alongside adding new permission that protects clipboard from unwarranted access by third-party apps.

“We think there’s one big takeaway here for developers: Whenever you’re building a new feature, always keep in mind what sort of privacy and security implications it may have, especially if this feature is going to be used by thousands or even millions of people around the world.”

“Link previews are nice a feature that users generally benefit from, but here and we’ve showcased the wide range of problems this feature can have when privacy and security concerns aren’t carefully considered.”


Credit: The Hacker News By: noreply@blogger.com (Ravie Lakshmanan)

Previous Post

Machine Learning Data Catalog Software Market Top Vendors likeOracle, Cloudera, Unifi, Anzo Smart Data Lake (ASDL) – Aerospace Journal

Next Post

The rise of the social bandits: How politics, injustice shapes how we view hacktivism

Related Posts

Hackers Tampered With APKPure Store to Distribute Malware Apps
Internet Privacy

Hackers Tampered With APKPure Store to Distribute Malware Apps

April 10, 2021
[WHITEPAPER] How to Achieve CMMC Security Compliance for Your Business
Internet Privacy

[WHITEPAPER] How to Achieve CMMC Security Compliance for Your Business

April 10, 2021
Alert — There’s A New Malware Out There Snatching Users’ Passwords
Internet Privacy

Alert — There’s A New Malware Out There Snatching Users’ Passwords

April 10, 2021
Cisco Will Not Patch Critical RCE Flaw Affecting End-of-Life Business Routers
Internet Privacy

Cisco Will Not Patch Critical RCE Flaw Affecting End-of-Life Business Routers

April 9, 2021
Gigaset Android Update Server Hacked to Install Malware on Users’ Devices
Internet Privacy

Gigaset Android Update Server Hacked to Install Malware on Users’ Devices

April 9, 2021
Next Post
The rise of the social bandits: How politics, injustice shapes how we view hacktivism

The rise of the social bandits: How politics, injustice shapes how we view hacktivism

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

An overview of Augmented reality applications and their future impact on AI
Data Science

An overview of Augmented reality applications and their future impact on AI

April 12, 2021
IIT Hyderabad Offers Interdisciplinary PhD in Artificial Intelligence, Machine Learning and Information Theory
Machine Learning

IIT Hyderabad Offers Interdisciplinary PhD in Artificial Intelligence, Machine Learning and Information Theory

April 12, 2021
Ransomware: The internet’s biggest security crisis is getting worse. We need a way out
Internet Security

Ransomware: The internet’s biggest security crisis is getting worse. We need a way out

April 12, 2021
Data Center Infrastructure Market is Projected to Reach USD 100 Billion by 2027
Data Science

Data Center Infrastructure Market is Projected to Reach USD 100 Billion by 2027

April 12, 2021
Hawaiʻi’s Keck Observatory Aids in Discovery of Rare “Quadruply Imaged Quasars”
Machine Learning

Hawaiʻi’s Keck Observatory Aids in Discovery of Rare “Quadruply Imaged Quasars”

April 12, 2021
Interpretive Analytics in One Picture
Data Science

Interpretive Analytics in One Picture

April 12, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • An overview of Augmented reality applications and their future impact on AI April 12, 2021
  • IIT Hyderabad Offers Interdisciplinary PhD in Artificial Intelligence, Machine Learning and Information Theory April 12, 2021
  • Ransomware: The internet’s biggest security crisis is getting worse. We need a way out April 12, 2021
  • Data Center Infrastructure Market is Projected to Reach USD 100 Billion by 2027 April 12, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates