Link previews in common chat apps on iOS & Android are a ‘Hornet’s Nest’ of security & privacy issues, researchers have discovered. The risk related to Facebook Messenger, LINE, Slack, Twitter Direct Messages, Zoom & many others. Regarding Instagram & LinkedIn, it is even possible to execute remote code on the companies’ servers through this feature, says a recent analysis.
Popular chat apps, including LINE, Slack, Twitter DMs etc., can also leak location data & share private info with 3rd-party servers.
Standard
Link previews are pretty standard in most chat apps, & they can be very useful. When a user sends a link through, it renders a short summary & a preview image in-line in the chat, so other users do not have to click the link to see what it points to.
Unfortunately, there is a problem. Says independent researchers Talal Haj Bakry & Tommy Mysk, the feature can leak IP addresses, expose links sent in end-to-end encrypted chats & has been caught “unnecessarily downloading GBs. of data quietly in the background.”
Summary
The issues relate to how the previews are generated, according to researchers. There are 3 ways to action this: The sender can generate it; the receiver can generate it; or the server can generate it. The last 2 are problematical, with the server-generated version being the most worrying.
“How does the app know what to show in the summary?” Bakry & Mysk explained. “It must somehow automatically open the link to know what’s inside. Is that safe? What if the link contains malware? What if the link leads to a very large file that you wouldn’t want the app to download & use up your data?”
Sender-Generated Links
If the sender generates the preview, the app will go & download what is in the link, create a summary & a preview image of the website, & it will send this as an attachment together with the link.
“When the app on the receiving end gets the message, it’ll show the preview as it got from the sender without having to open the link at all,” explained the researchers, in a posting this week. “This way, the receiver would be protected from risk if the link is malicious.”
Viber
iMessage, Signal (if the link preview option is turned on in settings), Viber & WhatsApp all follow this best-practice approach, they noted. However, there is an issue when it comes to Viber.
“If you send a link to a large file, your phone will automatically try to download the whole file even if it’s several GBs in size,” researchers noted.
They also advised, “it’s also worth mentioning that even though Viber chats are end-to-end encrypted, tapping on a link will cause the app to forward that link to Viber servers for the purposes of fraud protection & personalised ads.”
Receiver-Generated Links
When the receiver generates the preview, it means that the app will open any link that it is sent to it, automatically, with no user interaction required.
“This one is bad,” suggested the researchers, noting that the process can leak location data.
“Let’s briefly explain what happens when an app opens a link,” they wrote. “1st, the app has to connect to the server that the link leads to & ask it for what’s in the link. This is referred to as a GET request. In order for the server to know where to send back the data, the app includes your phone’s IP address in the GET request.”
IP Address
They also added, “If you’re using an app that follows this approach, all an attacker would have to do is send you a link to their own server where it can record your IP address. Your app will happily open the link even without you tapping on it, & now the attacker will know where you are down to a city block.”
A 2nd issue is that a link could potentially point to a large video or archive file.
“A buggy app might try to download the whole file, even if it’s GBs. in size, causing it to use up your phone’s battery & data plan,” the researchers warned.
Server-Generated Links
Finally, in the 3rd approach, the app sends the link to an external server & asks it to generate a preview, then the server will send the preview back to both the sender & receiver.
While this avoids the IP address-leaking issue found in the receiver-generating scenario, it potentially exposes information to 3rd parties, says the researchers, & can allow for code execution if the link points to a malicious website with JavaScript.
Dropbox
Re the data exposure, the server will need to make a copy (or at least a partial copy) of what is in the link to generate the preview.
“Say you were sending a private Dropbox link to someone, & you don’t want anyone else to see what’s in it,” researchers wrote.
“The question becomes are the servers downloading entire files, or only a small amount to show the preview? If they are downloading entire files, do the servers keep a copy, & if so for how long? Are these copies stored securely, or can the people who run the servers access the copies?”
Testing
Multiple apps use this technique for previewing links. But in testing, they vary widely in terms of how much data the servers downloaded, researchers revealed:
- Discord: Downloads up to 15 MB of any kind of file.
- Facebook Messenger: Downloads entire files if it is a picture or a video, even files gigabytes in size.
- Google Hangouts: Downloads up to 20 MB of any kind of file.
- Instagram: Just like Facebook Messenger, but not limited to any kind of file. The servers will download anything no matter the size.
- LINE: Downloads up to 20 MB of any kind of file.
- LinkedIn: Downloads up to 50 MB of any kind of file.
- Slack: Downloads up to 50 MB of any kind of file.
- Twitter: Downloads up to 25 MB of any kind of file.
- Zoom: Downloads up to 30 MB of any kind of file.
Privacy Nightmare
“Though most of the app servers we’ve tested put a limit on how much data gets downloaded, even a 15 MB limit still covers most files that would typically be shared through a link (most pictures and documents don’t exceed a few MBs in size),” the researchers noted.
“So, if these servers do keep copies, it would be a privacy nightmare if there’s ever a data breach of these servers.”
The issue is of particular concern to LINE users, according to Bakry & Mysk, because LINE claims to have end-to-end encryption where only the sender and receiver can read the messages.
Encrypted Message
“When the LINE app opens an encrypted message and finds a link, it sends that link to a LINE server to generate the preview,” according to researchers.
“We believe that this defeats the purpose of end-to-end encryption, since LINE servers know all about the links that are being sent through the app, & who’s sharing which links to whom. Basically, if you are building an end-to-end encrypted app, please don’t follow the server-generated approach.”
After the researchers sent a report to the LINE security team, the company updated its FAQ to include a disclosure that they use external servers for preview links, along with information on how to disable them.
Facebook Messenger
Facebook Messenger & its sister app Instagram Direct Messages are the only ones in the testing that put no limit on how much data is downloaded to generate a link preview.
Facebook responded to the researchers’ concerns, saying that it considers the feature to be working as intended, but did not confirm how long it holds onto the data. Twitter gave the same response.
“As we explained to the researcher weeks ago, these are not security vulnerabilities,” a Facebook company spokesperson outlined. “The behaviour described is how we show previews of a link on Messenger or how people can share a link on Instagram, & we don’t store that data. This is consistent with our data policy & terms of service.”
Zoom
Slack confirmed that it only caches link previews for around 30 minutes, which is also explained in its documentation.
Zoom told researchers that it is looking into the issue, & that it is discussing ways to ensure user privacy.
The researchers also contacted Discord, Google Hangouts & LinkedIn to report their findings, but said they have not received a response.
Remote Code-Execution Issues
As far as the code-execution issue, the researchers posted a video with a proof-of-concept of how hackers can run any JavaScript code on Instagram servers. In LinkedIn Messages case, the servers were also vulnerable to running JavaScript code, which allowed them to bypass the 50MB download limit in a test.
“You can’t trust code that may be found in all the random links that get shared in chats,” Bakry & Mysk explained.
Instagram & LinkedIn
“We did find, however, at least 2 major apps that did this: Instagram & LinkedIn. We tested this by sending a link to a website on our server which contained JavaScript code that simply made a call-back to our server. We were able to confirm that we had at least 20 seconds of execution time on these servers. It may not sound like much, & our code didn’t really do anything bad, but hackers can be creative.”
Mysk further explained that “In our testing, an attacker can run any JavaScript code on these servers. While it may not be immediately obvious how this can cause real harm, allowing JavaScript code to run leaves things open for a team of dedicated attackers. The easiest attack would be something like mining cryptocurrencies on these servers & using up their resources.”
Facebook’s spokesman commented that the feature works as intended, & that it is not a security vulnerability. They added that the way the functionality is presented does not take into account industry-standard security measures, that Instagram has put in place to protect against code-execution risks, & that when the concern was reported, it “found no risk of RCE.”
Regarding LinkedIn, a spokesman observed, “To help keep our members safe, we use a sandbox environment to evaluate the security risk of the links being shared. These environments are ephemeral & have strict access controls that are designed to discover malicious code execution.
JavaScript
To this end, we do execute JavaScript in the URL contents for completeness of evaluation. We also do not cache the content of these URLs. These steps are taken to inspect content of link for safety.”
Mysk noted that such protections may be insufficient.
“Server-side mitigations such as running JavaScript code in a sandbox environment is effective in thwarting most attacks, but more sophisticated attacks could allow the attacker to leave the sandbox & execute code outside the protected environment, which could potentially allow the attacker to steal data & secret keys,” he further outlined.
“We’ve seen many successful attempts to escape the JavaScript sandbox in apps like Chrome, & these link preview servers are no different.”
Looking for Safety
The link-preview issue is just 1 more concern when it comes to the security of the collaboration apps that have become intrinsic to the work-from-home reality caused by the COVID-19 pandemic.
Some apps do not render previews at all, such as Signal (if the link preview option is turned off in settings), Threema, TikTok & WeChat.
Safest
“This is the safest way to handle links, since the app won’t do anything with the link unless you specifically tap on it,” researchers suggested.
However, they also warned that link previews are a widespread thing: “There are many email apps, business apps, dating apps, games with built-in chat, & other sorts of apps that could be generating link previews improperly, & may be vulnerable to some of the problems we’ve covered.”
https://www.cybernewsgroup.co.uk/virtual-conference-november-2020/
