usrnm Posted October 24, 2017 Report Posted October 24, 2017 (edited) Most instant messaging applications are providing enriched link summaries (as shown next with Telegram link previews), including description and a preview image of the website. Depending on the implementation these nice-to-have features could become privacy intrusive: indeed, it might force your client into downloading some remote content from an untrusted third party, hence leaking your IP address and OS version (User-Agent). How does it work? The application (client side or server side) will grab the webpage and look for metadata through the Open Graph protocol. These are simple HTML tags included in the <head> section. Twitter Direct Messages When you share a URL to someone using Twitter DM, the server shall see at least two probes: one request coming from Twitter (AS13414) that will load the URL to get the card and, strangely, a second request coming from a Amazon EC2 server with a random mobile User-Agent. Most likely this is done to check for virus/phishing (Twitter will display a warning upon suspicious links on new messages).Privacy: URL is known to the server, no IP addresses leak (message isn’t E2E encrypted anyway) iMessages Upon sending a link, your mobile device will generate a preview card. All data appear to be processed locally from your device. The receiver will not grab the URL but will have the preview data, meaning either data is cached on Apple server, or data is directly sent to the receiver through the encrypted channel.Privacy: fair WhatsApp WhatsApp will have the same design as iMessage: the sender will generate the link preview (grabbing metadata from the URL) and send this data to the recipient through the server. This will occur even when end-to-end encryption is enabled but it doesn’t seem to violate E2E (URL is grabbed from the client, not the server).Privacy: fair Signal Signal does not have any enriched link preview, neither the client nor server are grabbing the URL. 👍Privacy: good Telegram The Telegram mobile application will generate the preview server-side. From an app that claims to have E2E this is kind of a big issue.Privacy: URL is known to the server, no IP addresses leak Wire Wire will generate a preview locally (from your mobile device). Interestingly, the Wire web app (on desktop) won’t generate any preview. Worth pointing out you can disable link preview in the application settings, good move.Privacy: fair FB Messenger Facebook servers will grab the URL to display the preview card. Haven’t tested with Secret Conversations.Privacy: URL is known to the server, no IP addresses leak Skype Skype servers will generate the link preview as well.Privacy: URL is known to the server, no IP addresses leak Slack Slack app is generating the link preview server-side.Privacy: URL is known to the server, no IP addresses leak Discord Same thing with discord (tested on Discord web app).Privacy: URL is known to the server, no IP addresses leak Sursa: https://blog.0day.rocks/link-previews-in-im-apps-and-privacy-d32e6056095b Edited October 24, 2017 by usrnm 2 Quote
