Study shows which messengers leak your data, drain your battery, and more

[Flash]

Study shows which messengers leak your data, drain your battery, and more

Dan Goodin - 10/26/2020
Link previews are a ubiquitous feature found in just about every chat and messaging app, and with good reason. They make online conversations easier by providing images and text associated with the file that’s being linked.

Unfortunately, they can also leak our sensitive data, consume our limited bandwidth, drain our batteries, and, in one case, expose links in chats that are supposed to be end-to-end encrypted. Among the worst offenders, according to research published on Monday, were messengers from Facebook, Instagram, LinkedIn, and Line. More about that shortly. First a brief discussion of previews

When a sender includes a link in a message, the app will display the conversation along with text (usually a headline) and images that accompany the link....
For this to happen, the app itself—or a proxy designated by the app—has to visit the link, open the file there, and survey what’s in it. This can open users to attacks. The most severe are those that can download malware. Other forms of malice might be forcing an app to download files so big they cause the app to crash, drain batteries, or consume limited amounts of bandwidth. And in the event the link leads to private materials—say, a tax return posted to a private OneDrive or DropBox account—the app server has an opportunity to view and store it indefinitely...

...The researchers behind Monday’s report, Talal Haj Bakry and Tommy Mysk, found that Facebook Messenger and Instagram were the worst offenders. As the chart below shows, both apps download and copy a linked file in its entirety—even if it’s gigabytes in size. Again, this may be a concern if the file is something the users want to keep private.
Haj Bakry and Mysk reported their findings to Facebook, and the company said that both apps work as intended. Instagram owner Facebook said in an email that its servers download only a downscaled version of an image, not the original file, and that the company doesn't store that data. The email also said that its servers run the JavaScript to vet it for security. Mysk, however, said that the video demonstrates that Instagram downloaded a 2.6GB file (an Ubuntu ISO with the file renamed to ubuntu.png) in its entirety. He also noted that most other messengers strip out JavaScript rather than downloading it and running it on their servers...

...LinkedIn performed only slightly better. Its only difference was that, rather than copying files of any size, it copied only the first 50 megabytes...