Link Previews in Popular Messaging Apps May Lead to Security Vulnerabilities

twistedpixel8 · Oct 26, 2020

I think this is easily solved by having the iOS device send a request to “open link” to an Apple-hosted “preview generator” server, which then returns the preview to the iOS device. iOS device and malicious server never meet and data is not exchanged.

Makosuke · Oct 26, 2020

It's interesting in this case (and probably many others) how there is a direct tradeoff between device security and data privacy.

If everything is generated externally and only a preview image is sent to your device, there is no security risk to your device (unless you open the link), but a privacy disadvantage.

If everything is generated on-device, there's no privacy issue in terms of third party services, but there is a privacy issue if the link is being used maliciously to track the user, and there's a potential security risk if there's a vulnerability on the page that requires no user interaction.

Of course, on the privacy side, if any sensitive content being linked to doesn't require a login, then it is only offering security by obscurity, which is so bad from a security standpoint already, so that's kind of a moot point. You likewise shouldn't be pushing passwords or whatnot in the URL.

Which is to say the researchers are right that the potential privacy hit is better than the potential local security hit, although I'm loathe to say that when Facebook is involved since you can be pretty sure they're going to use this to abusively harvest and store any user data they possibly can.

I don't see Apple Messages anywhere on that list, and I know it generates previews, so I'm assuming they're the redacted one?

Interestingly, I've noticed that Messages will generate a preview of links from contacts in my address book, but does NOT generate a preview of links from other contacts. So I don't get previews from spam links or things like UPS tracking alerts, but I do get them from friends and co-workers.

This isn't perfect from a security standpoint, but seems like a not-so-bad compromise.

ArPe · Oct 26, 2020

In fact I have mentioned in the discussion below how scammers and hackers working for various dictatorships are sending links and link previews to people on apps like Instagram and TikTok. From my research asking around this links aren’t quite sent randomly. They target individuals they want to hack, scam or frame for political or financial motives. They must have used these links to collect data or money from many people, including the children of public figures.

The social media platforms don’t care. At. All. Not one bit. It would be very easy to make it so that fake accounts can’t send messages unless they have a number of real connections who they have genuine and natural reactions with. It should also be easy to remove your contact button from strangers, but on IG that’s not possible even if you set your account to private.

But I fear that Twitter and Facebook deliberately went this kind of activity to take place and may be looking to profit from certain socially engineered situations in the future.

Facebook Lobbying for Option to Make Messenger Default on iOS

I genuinely believe Zuckerberg and his company deliberately want to harm the public, especially the young. Consider this evidence. They want to merge all their services into one messaging app - FB, WhatsApp, Instagram. Make your Instagram profile private. Even with your profile set to private...

forums.macrumors.com

Tech198 · Oct 26, 2020

Reminds me of Quicklook on the Mac. I think that suffered issues to, to be fair.

Runs For Fun · Oct 26, 2020

Makosuke said:
It's interesting in this case (and probably many others) how there is a direct tradeoff between device security and data privacy.

If everything is generated externally and only a preview image is sent to your device, there is no security risk to your device (unless you open the link), but a privacy disadvantage.

If everything is generated on-device, there's no privacy issue in terms of third party services, but there is a privacy issue if the link is being used maliciously to track the user, and there's a potential security risk if there's a vulnerability on the page that requires no user interaction.

Of course, on the privacy side, if any sensitive content being linked to doesn't require a login, then it is only offering security by obscurity, which is so bad from a security standpoint already, so that's kind of a moot point. You likewise shouldn't be pushing passwords or whatnot in the URL.

Which is to say the researchers are right that the potential privacy hit is better than the potential local security hit, although I'm loathe to say that when Facebook is involved since you can be pretty sure they're going to use this to abusively harvest and store any user data they possibly can.

I don't see Apple Messages anywhere on that list, and I know it generates previews, so I'm assuming they're the redacted one?

Interestingly, I've noticed that Messages will generate a preview of links from contacts in my address book, but does NOT generate a preview of links from other contacts. So I don't get previews from spam links or things like UPS tracking alerts, but I do get them from friends and co-workers.

This isn't perfect from a security standpoint, but seems like a not-so-bad compromise.

iMessage generates the preview one the sender’s device which is the correct way to do this. The problem here is some crappy third party apps don’t do this and/or have no size limit for what is fetched for the preview.

Luba · Oct 26, 2020

JosephAW said:
Link preview is turned off on my device.

Where do we go to turn off Link Preview? I went to Settings --> Safari and didn't see where to turn off Link Preview.

JosephAW · Oct 26, 2020

Luba said:
Where do we go to turn off Link Preview? I went to Settings --> Safari and didn't see where to turn off Link Preview.

Click and hold down on a link in Safari and when you see the preview picture you'll see small words at the top saying hide preview and that will also disable email links previews as well.
When we used to have 3D Touch on our devices I could lightly press on an email link to see the url. Without 3D Touch that was gone but I discovered this trick to fix that problem.

Luba · Oct 26, 2020

JosephAW said:
Click and hold down on a link in Safari and when you see the preview picture you'll see small words at the top saying hide preview and that will also disable email links previews as well.
When we used to have 3D Touch on our devices I could lightly press on an email link to see the url. Without 3D Touch that was gone but I discovered this trick to fix that problem.

Thanks! Shutting off preview on one device shuts it off across all iOS devices. I went to shut it off on my iPad and it was already shut off. The shut off preview setting must be saved on my Apple ID.

skir · Oct 27, 2020

Excuse me, may I mention Telegram again?

From my experience, Telegram generates link previews on its own servers. You send link, Telegram fetches its contents, if it can, probably caches it, and then you are previewing already prepared contents without exposing your IP, cookies or anything. This, of course, means you cannot preview anything paywalled or password protected. Also some user data harvesting services like TikTok don't like to give their content to a bot, so you can't preview TikTok sometimes. But for normal internet pages and images work just as expected.

Sometimes I read news about Messages and they look like from 20th century.

Ntombi · Oct 27, 2020

More and more, I appreciate Apple and iMessage.

It’s clearly not perfect, but every time I get frustrated about a choice they’ve made (20-watt charging brick ONLY for full-speed MagSafe charging is BS), I see reports like this, and I’m reminded why I’m in this ecosystem.

Makosuke · Oct 27, 2020

FuturePilot said:
iMessage generates the preview one the sender’s device which is the correct way to do this. The problem here is some crappy third party apps don’t do this and/or have no size limit for what is fetched for the preview.

Ahh, I have been educated. That certainly is the best way to do it, which I suppose shouldn't therefore be surprising that it's the way Apple does it.

That explains why I only get previews from people in my address book--they're the ones using Messages.

Luba · Oct 29, 2020

JosephAW said:
Click and hold down on a link in Safari and when you see the preview picture you'll see small words at the top saying hide preview and that will also disable email links previews as well.
When we used to have 3D Touch on our devices I could lightly press on an email link to see the url. Without 3D Touch that was gone but I discovered this trick to fix that problem.

Can Link Preview be shut off on Safari on my Mac?

Luba · Oct 30, 2020

JosephAW said:
Click and hold down on a link in Safari and when you see the preview picture you'll see small words at the top saying hide preview and that will also disable email links previews as well.
When we used to have 3D Touch on our devices I could lightly press on an email link to see the url. Without 3D Touch that was gone but I discovered this trick to fix that problem.

I mean . . . can this be initiated on a Mac? I turned off Link Preview using my iPhone and when I go to iMessage on my iPad and Mac I see that Link Preview is turned off for those devices too. Could I have turned off Link Preview using my Mac?

Search

Search

Link Previews in Popular Messaging Apps May Lead to Security Vulnerabilities

twistedpixel8

macrumors 6502a

Makosuke

macrumors 604

ArPe

Suspended

Facebook Lobbying for Option to Make Messenger Default on iOS

Tech198

Cancelled

Runs For Fun

macrumors 65816

Luba

macrumors 68000

JosephAW

macrumors 604

Luba

macrumors 68000

skir

macrumors newbie

Ntombi

macrumors 68040

Makosuke

macrumors 604

Luba

macrumors 68000

Luba

macrumors 68000

Our Staff