Popular chat apps sometimes use link previews as a convenient shortcut. Link previews are pop-up boxes you might see on a chat app or other social media platform when you share a URL. Link previews summarize the contents of the URL and display the name of the linked website, an image and a description of the website’s content. An app pulls this information from either the website’s standard HTML programming language tags or ad hoc meta tags.

However, when implemented improperly, this feature can put users’ digital security and privacy at risk.

Understanding the Social Media Vulnerabilities of a Link Preview

Services that create an automatic link preview from users typing in a URL generally use one of three approaches:

  1. An app or social media platform downloads the link content and generates the preview. The receiving app then shows the preview. It doesn’t need to open the link, so potentially malicious content hosted on the linked website doesn’t reach the user right away.
  2. The second approach uses an external server as a middle man between the sending and receiving apps. This generates the link preview.
  3. Meanwhile, in the third approach the receiving app creates the preview.

The privacy issues inherent in link previews largely come from the second and third approaches. For instance, the external server used in the second approach often makes at least a partial copy of the information included in the link previews. That threatens users’ privacy if the URL links to a document or web page containing personal data.

Researchers Talal Haj Bakry and Tommy Mysk examined various apps and social media platforms for potential problems with link previews. They found that they downloaded varying amounts of data depending on the nature of the linked file. In particular, they saw two popular social services (Instagram and Facebook Messenger) downloaded linked picture and video files in their entirety — even if they were gigabytes in size.

The privacy challenges don’t end there. A user’s machine needs to communicate with the server to which the link points in order to open a link. This means the server will know the user’s IP address and could expose their location. This isn’t the problem in the case of the first approach. The user is sending the URL that the link preview leads to so they likely trust it.

In the event of the third approach, the sending server will glean the user’s IP address and location from the receiver’s machine. That means the user doesn’t need to do anything to have a link preview potentially expose their details.

There’s also the issue of users’ security. Attackers could possibly prey upon users by sending URLs with link previews to websites containing JavaScript code. Two platforms in particular allowed for at least 20 seconds of execution time for URLs to websites containing JavaScript. This gives attackers an opening to target users with malware.

Link Preview Best Practices

In general, app developers need to consider the privacy and security implications of a feature before they release it. In the meantime, organizations and users alike can harden themselves against the weaknesses in link previews by following security best practices. Make sure you have up-to-date antivirus programs running on your own and your employees’ machines. In addition to possibly disabling JavaScript by default within the browser, having an updated antivirus solution can help prevent attackers from leveraging link previews to distribute malware. In addition, users and organizations can use virtual private networks (VPNs) to conceal their IP addresses and location, link preview or not.

More from Data Protection

Skills shortage directly tied to financial loss in data breaches

2 min read - The cybersecurity skills gap continues to widen, with serious consequences for organizations worldwide. According to IBM's 2024 Cost Of A Data Breach Report, more than half of breached organizations now face severe security staffing shortages, a whopping 26.2% increase from the previous year.And that's expensive. This skills deficit adds an average of $1.76 million in additional breach costs.The shortage spans both technical cybersecurity skills and adjacent competencies. Cloud security, threat intelligence analysis and incident response capabilities are in high demand. Equally…

Why safeguarding sensitive data is so crucial

4 min read - A data breach at virtual medical provider Confidant Health lays bare the vast difference between personally identifiable information (PII) on the one hand and sensitive data on the other.The story began when security researcher Jeremiah Fowler discovered an unsecured database containing 5.3 terabytes of exposed data linked to Confidant Health. The company provides addiction recovery help and mental health treatment in Connecticut, Florida, Texas and other states.The breach, first reported by WIRED, involved PII, such as patient names and addresses,…

Addressing growing concerns about cybersecurity in manufacturing

4 min read - Manufacturing has become increasingly reliant on modern technology, including industrial control systems (ICS), Internet of Things (IoT) devices and operational technology (OT). While these innovations boost productivity and streamline operations, they’ve vastly expanded the cyberattack surface.According to the 2024 IBM Cost of a Data Breach report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.Apparently, the data being stored in industrial control systems is…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today