Facebook and Instagram download all private link sent to their servers, irrespective of the size of the data, and provide no details on how long the information was stored in them, according to the findings of a pair of researchers.
They ran a video to show how hackers can run a JavaScript code on Instagram servers, and bypass data downloading limit on LinkedIn.
Link previews in chat apps such as Facebook messenger, Twitter Direct Messages, Zoom and many other applications on iOS and Android can leak location data and share private information with third party servers.
Several apps exposed links shared in end-to-end encrypted chats, and unnecessarily downloaded gigabytes of data quietly in the background, according to independent researchers Talal Haj Bakry and Tommy Mysk.
Link preview is a short summary with a preview image that appears when users send a link of a news article, a Word or PDF document, or a gif through chat apps.
Link previews can be generated in three ways- by the sender, receiver, or the server. The link generated by the server is the most concerning.
When the sender generates a preview, the app downloads what’s in the link. It creates a summary and a preview image of the website, and sends it as an attachment with the link.
When the app at the receiver’s end gets the message, it displays the preview before the user opens the link. This way, the receiver would be protected from any risk of clicking malicious links. Apps such as iMessage, Viber and WhatsApp follow this approach.
However, in the case of receiver generating a preview, app on the receiving end opens the link to automatically create a preview. To do so, it has to connect to the server that the link leads to and ask for what’s in the link. For the server to know where to send back the data, the app includes the phone’s IP address in the request.
If an individual is using an app that follows this approach, an attacker would just have to send a link to their own server to record IP address to determine user’s approximate location.
When the server generates a preview, the app first sends the link to an external server and asks it to generate a preview, then the server sends the preview back to both the sender and receiver. In this case, the problem arises when a user wants to send, say, a private Dropbox link to someone.
With this approach, the server will need to make a copy of what’s in the link to generate the preview.
In this scenario, Bakry and Mysk note in their blog that there’s no indication to users that the servers are downloading whatever they find in a link. It’s not clear if the server keeps a copy, and if yes, for how long does it hold this information.
The researchers found that the apps vary widely in how much data gets downloaded by their servers. For instance, Facebook Messenger downloads entire files if it’s a picture or a video, even files gigabytes in size. Similarly, Instagram servers will download anything, no matter the size. And LinkedIn, Zoom and Twitter download up to 50 MB, 30 MB, and 25 MB of any kind of file, respectively.
Though most apps put limits on how much data is downloaded, even a 15 MB limit covers most files that would typically be shared through a link.
“So, if these servers do keep copies, it would be a privacy nightmare if there’s ever a data breach of these servers. This is especially a concern for business apps like Zoom and Slack,” Bakry and Mysk concluded.