The links in your DMs probably aren’t secure

On Monday, researchers Talal Haj Bakry and Tommy Mysk published a report detailing how link previews create vulnerabilities in several major messaging apps. Facebook Messenger, Instagram, Line, and LinkedIn were the worst offenders, likely joined by Reddit. Link previews create the possibility for private files to be downloaded on corporate servers and for those same servers to be infected with malware.

'Private' messages — Link previews basically pre-open websites for you, so having them enabled or not being able to toggle the feature off can create security issues. As seen in the above video, sending a private file link — such as a tax return or your high school poetry — triggers a server download in Instagram as well as Facebook Messenger. Upon notification of this, Facebook determined that everything was working as intended, claiming the original files are not downloaded and that the company doesn’t keep the downscaled data (the video shows an entire file being downloaded). Facebook’s servers will also just download any Javascript through this method, though it claims its infrastructure vets all code for safety.

Luckily, other companies don’t let Java run wild on their servers and generally fared at least a little better. On the download front, LinkedIn only copied up to 50 megabytes of files. Google Hangouts, Line, Slack, Twitter, and Zoom also copy files up to similarly low limits. Line also basically decrypts messages to get to the link which makes its end-to-end encryption feature moot, but the company was responsive to the report and at least protects IP addresses in this process now.

The safest way through this issue is to not preview links at all (Signal, THreema, TikTok, and WeChat) or only preview links for the sender (iMessage, Signal, Viber, and WhatsApp). Signal makes a dual appearance because users can turn link previews on and off in their settings. Depending on how the apps open links, users could be forced to download the entire file themselves and drain their battery in the process.

Based on Ars Technica’s reporting on the study, it seems that Reddit was also flagged for battery draining and IP address exposure. It’s still redacted in the original report which was done is response to the company working on fixing both problems. This redaction adds to the slight muddiness of the report, but the demos provide ample evidence that you should avoid link previews. Or just use TikTok for all your DM sliding.