Popular chat apps sometimes use link previews as a convenient shortcut. Link previews are pop-up boxes you might see on a chat app or other social media platform when you share a URL. Link previews summarize the contents of the URL and display the name of the linked website, an image and a description of the website’s content. An app pulls this information from either the website’s standard HTML programming language tags or ad hoc meta tags.

However, when implemented improperly, this feature can put users’ digital security and privacy at risk.

Understanding the Social Media Vulnerabilities of a Link Preview

Services that create an automatic link preview from users typing in a URL generally use one of three approaches:

  1. An app or social media platform downloads the link content and generates the preview. The receiving app then shows the preview. It doesn’t need to open the link, so potentially malicious content hosted on the linked website doesn’t reach the user right away.
  2. The second approach uses an external server as a middle man between the sending and receiving apps. This generates the link preview.
  3. Meanwhile, in the third approach the receiving app creates the preview.

The privacy issues inherent in link previews largely come from the second and third approaches. For instance, the external server used in the second approach often makes at least a partial copy of the information included in the link previews. That threatens users’ privacy if the URL links to a document or web page containing personal data.

Researchers Talal Haj Bakry and Tommy Mysk examined various apps and social media platforms for potential problems with link previews. They found that they downloaded varying amounts of data depending on the nature of the linked file. In particular, they saw two popular social services (Instagram and Facebook Messenger) downloaded linked picture and video files in their entirety — even if they were gigabytes in size.

The privacy challenges don’t end there. A user’s machine needs to communicate with the server to which the link points in order to open a link. This means the server will know the user’s IP address and could expose their location. This isn’t the problem in the case of the first approach. The user is sending the URL that the link preview leads to so they likely trust it.

In the event of the third approach, the sending server will glean the user’s IP address and location from the receiver’s machine. That means the user doesn’t need to do anything to have a link preview potentially expose their details.

There’s also the issue of users’ security. Attackers could possibly prey upon users by sending URLs with link previews to websites containing JavaScript code. Two platforms in particular allowed for at least 20 seconds of execution time for URLs to websites containing JavaScript. This gives attackers an opening to target users with malware.

Link Preview Best Practices

In general, app developers need to consider the privacy and security implications of a feature before they release it. In the meantime, organizations and users alike can harden themselves against the weaknesses in link previews by following security best practices. Make sure you have up-to-date antivirus programs running on your own and your employees’ machines. In addition to possibly disabling JavaScript by default within the browser, having an updated antivirus solution can help prevent attackers from leveraging link previews to distribute malware. In addition, users and organizations can use virtual private networks (VPNs) to conceal their IP addresses and location, link preview or not.

More from Data Protection

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today