The server-side link previews in Facebook Messenger may subject you to huge privacy and security risks

The famous security team with researchers Tommy Mysk and Talal Haj Bakry have recently reported quite comprehensively how server-side link previews that we see on Facebook Messenger may subject the users to potential privacy and security risks.

As per them, when a user sends a website link or any personal document to another person on Messenger, the recipient receives the message with a link preview. At the back end, Facebook employs some external server and ask it to generate a preview of the link. The server will send it to the sender and the recipient of that message. This type of server-side link preview is quite dangerous because the link that the sender sends may contain private information. This information gets downloaded in some external server, and although Facebook trusts those servers, the users do not know what is happening with their private information in those servers. Whether they download the whole document or keep a copy of the document, it is not clear. And what is worse is that Facebook does not give the users any clue about how it is generating those link previews!

This is the reason why these security researchers think that Facebook Messenger is not safe to use until Facebook comes up with a solid security system around users’ messages in normal chats. In secret conversations, these chats are end-to-end encrypted, and this is the case with WhatsApp too. But through its Messenger app, there is no denying now that Facebook can spy on the users through their content in their messages.

Then there is ‘sender-side link previews’ that TikTok, WeChat, WhatsApp, and even iMessage provide. Through this system, when a user sends a link to someone, their own messaging app will download the information of that link, and then it will create a summary and a preview image of that link which will eventually be presented as an attachment along with that link. The famous Signal app allows the users to disable or enable the server-side link previews. In this system, it’s the sender’s app that has to open the link, so it means that this is potentially safe for the recipient.

However, there is another approach that is quite dangerous for the recipients, and that is the ‘receiver-side link previews.’ This is the exact opposite of the ‘sender-side link preview’ approach, and it puts the recipients in a lot of danger of receiving malware through these links.

Even if servers are allowed to download content, there is a limited size that can be downloaded. Various apps allow 20-50 MB of data to be downloaded, but Facebook has been noticed to be downloading around 2.6 GB files on its servers. These researchers were able to download 24.7GB of data onto their servers from Facebook’s servers.

Now, these are some huge numbers and further reinforce the fact that Facebook Messenger is not as safe as the users may think.

Previous Post Next Post