A big security problem hides in messaging apps

From Messenger and WhatsApp to Zoom: a big problem threatening user security hides in all popular messaging apps

Messaging apps can hide security problems: the risk would lie in the preview of links shared through chat. In the code of that short summary of the article and of the image accompanied in preview, it would be hidden in fact the possibility to trace the IP address of users and not only.

As revealed by independent researchers Talal Haj Bakry and Tommy Mysk, sharing a link could be a potentially dangerous operation, especially for the privacy of one's own data. In fact, in addition to the IP, these applications could leave the shared links exposed in conversations protected by end-to-end encryption (and, in the case of WhatsApp, encryption does not always work the same way) and, above all, download particularly large amounts of data in the background, without the user being able to notice and prevent it. The problem, according to the two experts, is particularly long-standing and should be sought in the methodology of generating previews.

Messaging apps: which ones are at risk

The apps at risk are some of the most widely used, both for personal and professional communication. Among the names mentioned by Bakry and Mysk are Facebook Messenger and Twitter's direct messages, Zoom, LINE, Instagram's internal chat and the business collaboration tool Slack.

If some of these apps, such as Slack, Twitter DMs and LINE are able to share location information and other private data with third-party servers, Instagram is also at risk. From the social network's messaging system, it's possible to execute remote code directly on the company's servers.

All apps that don't automatically preview links, such as TikTok, WeChat or Signal, are not affected if the preview option has been disabled in the settings.

Messaging apps and security issues: what's going on

As mentioned above, the problem would be in the preview generation, which can happen in three different ways: by the sender, by the recipient or by the server. Although the last two can be the most at risk, it's the server one that worries the two IT experts the most.

In fact, in the latter case, it's the server that decides to open the link, even if there are hidden malware inside and ready to strike. The same is true for large files, which could be downloaded in the background, using the recipient's connection but without any visible trace.

For apps like iMessage, WhatsApp and Signal, the choice fell on the preview generated by the sender; in this case it is the sender who runs any risks in case of malware presence. For others, who have opted for server or recipient-side preview generation, the situation is different.

In these two scenarios, the recipient's data is exposed to direct risks. In fact, in recipient-side preview generation, the app would automatically open the link even without the tap by sending IP and geolocation information to a server capable of recording such information. The same applies to large files, automatically downloaded with a considerable weight especially on mobile connections.

In the second one, the one where the preview is generated server-side, the problem is even different. In this case, the risk is that the external server can make a copy of the content to be downloaded (just think of a private file exchanged between two users) or allow the execution of potentially dangerous code in case the link points to a site with malicious JavaScript.