Popular chat apps sometimes use link previews as a convenient shortcut. Link previews are pop-up boxes you might see on a chat app or other social media platform when you share a URL. Link previews summarize the contents of the URL and display the name of the linked website, an image and a description of the website’s content. An app pulls this information from either the website’s standard HTML programming language tags or ad hoc meta tags.
However, when implemented improperly, this feature can put users’ digital security and privacy at risk.
Understanding the Social Media Vulnerabilities of a Link Preview
Services that create an automatic link preview from users typing in a URL generally use one of three approaches:
- An app or social media platform downloads the link content and generates the preview. The receiving app then shows the preview. It doesn’t need to open the link, so potentially malicious content hosted on the linked website doesn’t reach the user right away.
- The second approach uses an external server as a middle man between the sending and receiving apps. This generates the link preview.
- Meanwhile, in the third approach the receiving app creates the preview.
The privacy issues inherent in link previews largely come from the second and third approaches. For instance, the external server used in the second approach often makes at least a partial copy of the information included in the link previews. That threatens users’ privacy if the URL links to a document or web page containing personal data.
Researchers Talal Haj Bakry and Tommy Mysk examined various apps and social media platforms for potential problems with link previews. They found that they downloaded varying amounts of data depending on the nature of the linked file. In particular, they saw two popular social services (Instagram and Facebook Messenger) downloaded linked picture and video files in their entirety — even if they were gigabytes in size.
The privacy challenges don’t end there. A user’s machine needs to communicate with the server to which the link points in order to open a link. This means the server will know the user’s IP address and could expose their location. This isn’t the problem in the case of the first approach. The user is sending the URL that the link preview leads to so they likely trust it.
In the event of the third approach, the sending server will glean the user’s IP address and location from the receiver’s machine. That means the user doesn’t need to do anything to have a link preview potentially expose their details.
Link Preview Best Practices