Popular chat apps sometimes use link previews as a convenient shortcut. Link previews are pop-up boxes you might see on a chat app or other social media platform when you share a URL. Link previews summarize the contents of the URL and display the name of the linked website, an image and a description of the website’s content. An app pulls this information from either the website’s standard HTML programming language tags or ad hoc meta tags.

However, when implemented improperly, this feature can put users’ digital security and privacy at risk.

Understanding the Social Media Vulnerabilities of a Link Preview

Services that create an automatic link preview from users typing in a URL generally use one of three approaches:

1. An app or social media platform downloads the link content and generates the preview. The receiving app then shows the preview. It doesn’t need to open the link, so potentially malicious content hosted on the linked website doesn’t reach the user right away.
2. The second approach uses an external server as a middle man between the sending and receiving apps. This generates the link preview.
3. Meanwhile, in the third approach the receiving app creates the preview.

The privacy issues inherent in link previews largely come from the second and third approaches. For instance, the external server used in the second approach often makes at least a partial copy of the information included in the link previews. That threatens users’ privacy if the URL links to a document or web page containing personal data.

Researchers Talal Haj Bakry and Tommy Mysk examined various apps and social media platforms for potential problems with link previews. They found that they downloaded varying amounts of data depending on the nature of the linked file. In particular, they saw two popular social services (Instagram and Facebook Messenger) downloaded linked picture and video files in their entirety — even if they were gigabytes in size.

The privacy challenges don’t end there. A user’s machine needs to communicate with the server to which the link points in order to open a link. This means the server will know the user’s IP address and could expose their location. This isn’t the problem in the case of the first approach. The user is sending the URL that the link preview leads to so they likely trust it.

In the event of the third approach, the sending server will glean the user’s IP address and location from the receiver’s machine. That means the user doesn’t need to do anything to have a link preview potentially expose their details.

There’s also the issue of users’ security. Attackers could possibly prey upon users by sending URLs with link previews to websites containing JavaScript code. Two platforms in particular allowed for at least 20 seconds of execution time for URLs to websites containing JavaScript. This gives attackers an opening to target users with malware.

Link Preview Best Practices

In general, app developers need to consider the privacy and security implications of a feature before they release it. In the meantime, organizations and users alike can harden themselves against the weaknesses in link previews by following security best practices. Make sure you have up-to-date antivirus programs running on your own and your employees’ machines. In addition to possibly disabling JavaScript by default within the browser, having an updated antivirus solution can help prevent attackers from leveraging link previews to distribute malware. In addition, users and organizations can use virtual private networks (VPNs) to conceal their IP addresses and location, link preview or not.