An analysis of the manner in which popular chat applications handle link previews has revealed several privacy and security issues, including some that still need addressing, security researchers warn.
Link previews provide users with information on what a link received in chat would lead them to, regardless of whether it is a file or a web page.
However, link previews can be abused for nefarious purposes, and security researchers Talal Haj Bakry and Tommy Mysk claim to have identified several cases in which popular chat apps for iOS and Android fail to provide their users with the necessary protections against such abuses.
Due to the manner in which link previews are implemented, some applications were found to leak users’ IP addresses, others to leak links that have been sent in conversations encrypted end-to-end, while some would unnecessarily download large amounts of data, even gigabytes, in the background.
The analyzed applications include Discord, Facebook Messenger, Google Hangouts, iMessage, Instagram, LINE, LinkedIn, Reddit, Signal, Slack, Threema, TikTok, Twitter, Viber, WeChat, WhatsApp, and Zoom.
Four of the apps, namely Signal (if the link preview option is turned off in settings), Threema, TikTok, and WeChat, do not generate previews. In iMessage, Signal (if the link preview option is enabled), Viber, and WhatsApp, the previews are generated on the sender’s side.
In Reddit (only in the chat, not when viewing posts and comments), previews are generated by the receiver, before the user taps on the link, which the researchers found to be a major privacy concern, as it may result in the receiver’s IP address being leaked to the sender.
An attacker can obtain a user’s IP address, which can also enable them to obtain an approximate geograph ..