Over the weekend, cybersecurity experts revealed new security risks linked with link previews in popular messaging apps that cause the services to leak IP addresses, expose links sent via end-to-end encoded chats, and even gratuitously download gigabytes of data furtively in the background.
“Links shared in chats may contain private information intended only for the recipients,” experts Talal Haj Bakry and Tommy Mysk said.
“This could be bills, contracts, medical records, or anything that may be confidential.”
“Apps that rely on servers to generate link previews may be violating the privacy of their users by sending links shared in a private chat to their servers.”
Link previews are very common in most chat apps, making it easy to display a pictorial preview and a brief explanation of the shared link.
Although apps like Signal and Wire give users the option to turn on/off link previews, a few others like Threema, TikTok, and WeChat don’t produce a link preview at all.
“This approach assumes that whoever is sending the link must trust it, since it’ll be the sender’s app that will have to open the link,” the researchers said.