On Monday, researchers Talal Haj Bakry and Tommy Mysk published a report detailing how link previews create vulnerabilities in several major messaging apps. Facebook Messenger, Instagram, Line, and LinkedIn were the worst offenders, likely joined by Reddit. Link previews create the possibility for private files to be downloaded on corporate servers and for those same servers to be infected with malware.
Luckily, other companies don’t let Java run wild on their servers and generally fared at least a little better. On the download front, LinkedIn only copied up to 50 megabytes of files. Google Hangouts, Line, Slack, Twitter, and Zoom also copy files up to similarly low limits. Line also basically decrypts messages to get to the link which makes its end-to-end encryption feature moot, but the company was responsive to the report and at least protects IP addresses in this process now.
The safest way through this issue is to not preview links at all (Signal, THreema, TikTok, and WeChat) or only preview links for the sender (iMessage, Signal, Viber, and WhatsApp). Signal makes a dual appearance because users can turn link previews on and off in their settings. Depending on how the apps open links, users could be forced to download the entire file themselves and drain their battery in the process.
Based on Ars Technica’s reporting on the study, it seems that Reddit was also flagged for battery draining and IP address exposure. It’s still redacted in the original report which was done is response to the company working on fixing both problems. This redaction adds to the slight muddiness of the report, but the demos provide ample evidence that you should avoid link previews. Or just use TikTok for all your DM sliding.