This common chat feature risks your privacy

A common feature included in many chat apps presents security and privacy risks, researchers have claimed. The problem centers on how some messaging platforms display link previews, with reports of some apps leaking IP addresses, exposing links and downloading large quantities of data unnecessarily.

The exact nature of the issue depends on the particular app in question and how it generates the link preview. The apps that generated no preview at all, including WeChat and TikTok, offered users the safest way to handle links.

“Let’s take a step back and think about how a preview gets generated,” a blog post by Talal Haj Bakry and Tommy Mysk read. “How does the app know what to show in the summary? It must somehow automatically open the link to know what’s inside. But is that safe? What if the link contains malware? Or what if the link leads to a very large file that you wouldn’t want the app to download and use up your data?”

Risky download

For apps that generate link previews, there are varying levels of risk involved. Some apps involve the sender generating a preview, including iMessage and WhatsApp, which carries a relatively low level of risk, assuming that the sender trusts the link being sent.

Apps that get the receiver to generate the preview are more concerning as they automatically open the link as soon as the message is seen. This approach could potentially expose IP addresses to attackers or simply create a huge drain on a phone’s battery and data plan if a large file is automatically downloaded.

A third method involves an external server generating the preview, which sounds good, but potentially exposes private links to whoever is operating the server in question. Already a number of app developers have responded to the findings, which demonstrate that even simple app features can pose serious security risks.

Source: TechRadar