Many messaging apps do link previews insecurely. That’s the conclusion of a pair of well-known infosec researchers this week.
The worst are Facebook’s Messenger and Instagram, plus LINE. Shocking, I know. Also heavily criticized are Discord, LinkedIn, Slack, and Zoom—among others.
I know, right? In this week’s Security Blogwatch, we revert to semaphore and smoke signals.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Is Amazon lying to you?
Crouching feature; hidden threat
What’s the craic, Zac? Mister Doffman reports—Why You Should Stop Using Your Facebook Messenger App:
Everything you send on Messenger passes through Facebook servers to which it has access. … Facebook “spies” on this content. [It] downloads your private content to its own servers without any warning.
The team behind the report has good form in holding major tech platforms to account on security grounds. Tommy Mysk and Talal Haj Bakry … initially set out to study how various messaging platforms handled so-called “link previews.” … The main end-to-end encrypted messengers, including WhatsApp and iMessage, generate link previews on the sender-side, [which] is a fairly safe security bet.
The opposite approach is receiver-side link previews—and this is dangerous. … It might disclose your IP address, [which] presents an attack vector to discover target locations.
The final option [is] server-side link previews, [which] is a potential security nightmare. … A number of messaging platforms take this approach—Facebook Messenger and stablemate Instagram, LinkedIn, Slack, Twitter, Zoom and Google Hangouts among them. But only Facebook’s platforms were seen [downloading] massive files, beyond the size needed for a preview.
And Dan Goodin adds in—Link previews provide convenience. They can also compromise privacy or security.:
Link previews … make online conversations easier by providing images and text associated with the file that’s being linked. … Unfortunately, they can also leak our sensitive data.
The app itself—or a proxy designated by the app—has to visit the link, open the file there, and survey what’s in it. This can open users to attacks. … Most messaging apps are doing things right. For instance, Signal, Threema, TikTok, and WeChat all give the users the option of receiving no link preview.
The researchers, Talal Haj Bakry and Tommy Mysk, explain themselves—How a Simple Feature Can Have Privacy and Security Risks:
Link previews are a good case study of how a simple feature can have privacy and security risks. … There’s one big takeaway here for developers: Whenever you’re building a new feature, always keep in mind what sort of privacy and security implications it may have, especially if this feature is going to be used by thousands or even millions of people around the world.
When the LINE app opens an encrypted message and finds a link, it sends that link to a LINE server to generate the preview. … This defeats the purpose of end-to-end encryption.
Instagram [and] Facebook Messenger download entire files … even files gigabytes in size. … They told us that they consider this to be working as intended:
Mildly depressing? OrangeTide swearily reacts:
It’s been over 30 years since the specifications for IRC and Zephyr. And still nobody can seem to settle on a standard or make something that isn’t complete marketing horse****, impossible to use, or subtly insecure.
There have been amazing strides in other areas—computer graphics, networking, parallel processing, neural networks, and even word processing—during the same time frame. Messaging is a trivial problem technically, but nobody can quite figure out how to make money with it.
Here’s an emission from tygorn, who’s on a mission. [You’re fired—Ed.]
I have been converting people from many of the apps in this story over to Signal for years now. I will be sending each and every one of them this story to reinforce why I was so persistent in hounding them to make the switch. This should also make it easier for me to convert some more holdouts.
And this isn’t a theoretical threat, as ArPe notes:
Scammers and hackers working for various dictatorships are sending links and link previews to people on apps like Instagram and TikTok. From my research asking around this links aren’t quite sent randomly. They target individuals they want to hack, scam or frame for political or financial motives.
The social media platforms don’t care. At all. Not one bit. It would be very easy to make it so that fake accounts can’t send messages unless they have a number of real connections who they have genuine and natural reactions with. It should also be easy to remove your contact button from strangers, but on IG that’s not possible even if you set your account to private.
But what about responsible disclosure? Hear esperto rant:
There are two app names redacted, I assume one is Telegram as it is a big player not listed there. The author says it is redacted because the issues were informed to the developers and are being corrected.
So Tommy Mysk clarifies and classifies:
We tested a lot of apps, but we somehow missed Telegram in our final write-up. I can tell you how it behaves:
In normal chats, Telegram generates link previews server-side. The server downloads up to 20 MB of any file.
In secret chats … end-to-end encrypted, Telegram prompts the user if they want to enable the feature of link previews. If enabled, the sender will generate the link previews and send it as an attachment to the receiver.
Meanwhile, nylonsteel strums this ditty
Back in the day, parents used to worry about kids playing vinyl records backwards for satanic messages. Today now we have to worry about data security in everything.
The moral of the story?
DevOps: The coolest features can have nasty security implications.
SecOps: Are your workers sharing sensitive company info with insecure apps?
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or email@example.com. Ask your doctor before reading. Your mileage may vary. E&OE. 30.