Facebook Messenger and Instagram have this huge security risk: What to do

Facebook Messenger
(Image credit: SOPA Images / Getty Images)

The link previews in many messaging and chat mobile apps on both iOS and Android create huge security and privacy risks, two researchers say. 

Facebook Messenger, Instagram, Line and LinkedIn are named as among the worst offenders, but a few others are so much worse that they can't even be mentioned until they fix their flaws.

"Link previews in chat apps can cause serious privacy problems if not done properly," researchers Talal Haj Bakry and Tommy Mysk wrote in a report posted online earlier this week. 

"We found several cases of apps with vulnerabilities such as leaking IP addresses, exposing links sent in end-to-end encrypted chats, and unnecessarily downloading gigabytes of data quietly in the background."

Some apps' preview functions also drained smartphone batteries. Others could make user devices or app-service remote servers run malware. Many others exposed user information that was meant to be private.

"We think link previews are a good case study of how a simple feature can have privacy and security risks," the researchers wrote.

Who's good, who's worse and who's so bad they're not named

While Facebook Messenger, Instagram and LinkedIn were singled out for risky practices, those risks affected those companies' servers rather than end users. 

Line created the worst privacy risks among the listed apps, but several parts of the report were blacked out because they involved apps whose problems were more severe and had not been fixed.

The researchers listed 16 examined apps. Besides the four named already, the other 12 were Discord, Google Hangouts, iMessage, Slack, Signal, Threema, TikTok, Twitter, Viber, WeChat, WhatsApp and Zoom

Reddit was not named in the research report but was included in a chart of examined apps posted in Ars Technica and noted as having had its problems fixed. The same chart in the actual research report did not include Reddit.

Not examined, or at least not named, were several other prominent messaging and chat apps, including Kik, Microsoft Teams, Skype, Snapchat, Telegram, Wickr Me and Wire. We'll be keeping an eye on this report to see if some of them emerge as among those with the worst problems.

A chart showing privacy and security risks of previewing links in popular messaging apps.

(Image credit: Talal Haj Bakry and Tommy Mysk)

To avoid the risks of link previews, either use messaging apps that don't do them at all, such as Threema, TikTok or WeChat, or apps that do them with minimal risk, such as Apple iMessage, Viber and WhatsApp. 

Signal falls into both camps as it lets you turn off link previews in its settings.

A link preview is a snapshot showing what's on the other end of a web link that someone else sends you. You don't have to click on the link to see it. 

The link preview usually consists of a thumbnail of the lead image on a web page plus the first few lines of text on the page. Here's an example from the Slack chat we use at Tom's Guide.

An example of a link preview in the desktop version of Slack.

(Image credit: Future/Slack)

That seems simple, but there are in fact three different ways to get that preview to show up in your chat or messaging app. Each has its own level of risk.

In the first and safest method, the message sender's app creates the link preview and sends it along with the link itself. So if your buddy Frances uses iMessage to send you a link to a page on TomsGuide.com, iMessage on her iPhone will package a small preview of the Tom's Guide page and bundle it into the link message.

"This approach assumes that whoever is sending the link must trust it, since it'll be the sender's app that will have to open the link," Bakry and Mysk wrote. 

Messaging apps that do this include Apple iMessage, Viber and WhatsApp, plus Signal if link previews are enabled.

The second method is far more dangerous. In this case, the sender's message contains only the link, and the app on the message recipient's device has to generate the link preview by opening the link before the recipient even clicks on it.

Whether you want to open the link or not, your messaging app will load the web page in the background, including any malicious content or code it might contain. The server on the other end would also learn your phone's IP address and possibly even your physical location. 

So if your mischievous cousin Evil Jake wants to mess with you, he can send you a link to a malicious site known to hack the messaging service you both use. All you have to do is view the message. 

Bakry and Mysk would not name the apps that do this. At least two of those apps also automatically download large files in previewed links, eating up bandwidth, data plans and battery life.

The third and most common method gets the messaging providers' servers involved. Services that use this method include Discord, Facebook Messenger, Google Hangouts, Instagram, Line, LinkedIn, Slack, Twitter and Zoom, plus at least one that Bakry and Mysk wouldn't name.

When the message sender embeds a link in a message, a remote server controlled by the messaging provider generates the preview and sends it to both the message sender and the message recipient.

This won't cause the message recipient's phone to run malware or download huge files, but it can cause the servicer provider's servers to do both. 

Bakry and Mysk posted videos on YouTube showing how two Instagram messages caused Facebook's servers to download two dozen gigabytes of data and run JavaScript embedded in the linked web pages. LinkedIn servers also ran JavaScript.

The server-in-the-middle configuration also creates privacy risks. If the message sender is sending a private document — say a Google Doc — to the recipient, then the service provider's servers will download at least part of that Google Doc to generate a preview. 

The service provider's staff will be able to see at least part of what's in the Google Doc as long as the data is retained. Slack, for example, told the researchers that the data is held for only 30 minutes.

It also matters how much data from the embedded link the servers use. Most use only between the first 15MB and 50MB shown on a page. 

But Facebook Messenger and Instagram load an unlimited amount of data, which is how the researchers got Instagram's servers to download multiple copies of a 2.7GB Ubuntu Linux installation file when it was linked to in a message.

What's next

Bakry and Mysk reached out to the messaging service providers with whom they found security and privacy issues. 

Line fixed one of its problems. Zoom said it was looking into the issue. But Facebook said what Bakry and Mysk observed with Messenger and Instagram wasn't actually a problem, and no response was received from Discord, Google or LinkedIn by the time the researchers posted their report.

"Since we're only two people doing this research in our spare time, we could only cover a small set of the millions of apps out there," they concluded. 

"There are many email apps, business apps, dating apps, games with built-in chat, and other kinds of apps that could be generating link previews improperly, and may be vulnerable to some of the problems we’ve covered here."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.