Security experts have discovered that the connection previews critical data leaks

Wednesday, October 28, 2020, 14:54 GMT

In conventional chat and instant messaging apps, connection preview is almost a regular feature. To make online discussions smoother, it will preview the photos and text associated with the connection. Unfortunately, they can even leak our confidential data, use our minimal bandwidth, exhaust our battery, and may also reveal end-to – end encrypted chat information in certain instances. The latest details on Facebook , Instagram , LinkedIn and Line has such concerns, according to research released this Monday.

The application will show the text (usually the title) and the image accompanying the link when the sender sends a message containing a link, which normally looks like the following:

In order to do so, the application itself (or an agent designated by the application) must first access the connection, open the file, and review the contents. Malicious programs can be downloaded in this process. Other types of malicious behaviour can cause users to download too big files, forcing the app to crash, drain the memory, or consume minimal bandwidth. And, if the connection refers to private content (for instance, uploading a tax return to a private OneDrive or DropBox account), it can be accessed and stored indefinitely by the application server.

Security researchers Talal Haj Bakry (Talal Haj Bakry) and Tommy Mysk (Tommy Mysk) found on Monday that they performed poorly on Facebook Messenger and Instagram. Both applications can import and copy the entire connected file as seen in the picture below, even though the file size is gigabytes. Similarly, it can trigger confusion if the file is a file that the user wishes to keep private.

And if the link’s file size is as high as 2.6 GB, it will still be downloaded on Facebook Messenger and Instagram after the link preview is submitted.

Haj Bakry and Mysk posted to Facebook their results, and the company confirmed that all apps usually function. In an email, Facebook, the owner of Instagram, said that its server only downloads a condensed version of the photograph, not the original file, and the data is not retained by the company.

But Mysk said the video reveals that Instagram has downloaded a 2.6 GB (Ubuntu ISO, called ubuntu.png) image. He also found out that, instead of installing and running on their computers, most other messengers delete JavaScript. Slightly improved results for LinkedIn. The main distinction is that it just copies the first 50 megabytes instead of copying files of any size.

At the same time, the link continues to be sent to the Line server to produce a sample when the Line program opens the encrypted message and identifies the link. We assume this undermines the intent of end-to – end encryption, since the LINE server knows all the links sent through the application and who exchanged the connection with whom, “Haj Bakry and Mysk wrote.”

Files are also copied by Discord, Google Hangouts, Slack, Twitter, and Zoom, but they limit the volume of data to between 15 MB and 50 MB.