Facebook Messenger lacks a critical security feature, security specialists have clarified in their latest report. Everything you send on Messenger goes through Facebook’s servers, which downloads your private content to its own servers without any notice.
Electronic security experts Tommy Mysk and Talal Haj Bakry have studied the option of link previews. When you send your caller some content, including private documents, the recipient of the message will often see a preview of that content. This option can guarantee the social network access to the data you are sending.
“We think link previews are a good case study of how a simple feature can have privacy and security risks,” the team says.
While Mysk and Haj Bakry discovered that several messaging platforms do not absolutely jeopardize link previews, for example, TikTok and WeChat, major end-to-end encrypted messengers, including WhatsApp and iMessage, generate previews of links on the sender side.
This type of link preview is quite secure, the researchers explain, since the receiver would be protected from risks if the link is malicious. This approach assumes that whoever sends the link must trust it, because it will be the sender’s application that will have to open the link.
The opposite approach is to preview the receiver-side links, and this is dangerous. It means that anyone can send you a malicious link that your device could automatically follow to download malware or it could reveal your IP address and location. Mysk and Haj Bakry found only two messengers with this approach, and both are already fixing the vulnerability.
And the final option, the Facebook Messenger approach, preview the server-side links. As the report explains, “When you send a link, the app first sends it to an external server and prompts it to preview, then the server sends the preview to both the sender and recipient,” which is a security nightmare.
Links shared on chats may contain private information intended only for recipients, such as invoices, contracts, medical records, or anything that may be confidential. Although these servers are trusted by the application, there is no warning to users that they are downloading what they find in the link.
Other questions also arise. Are the servers downloading entire files, or just part of it to show the preview? If you are downloading entire files, do you keep a copy, and if so, for how long? And are these copies stored securely, or can someone access the copies?
This approach is used by various messaging platforms, Facebook Messenger, Instagram, LinkedIn, Slack, Twitter, Zoom and Google Hangouts, among them. But only Facebook platforms download massive files, beyond the size needed for a preview. While others stopped in the 20-50MB range, researchers have evidence that Facebook downloaded a 2.6GB file to its servers.
However, as security experts emphasize, Facebook at least restricts its unlimited downloads to media files, while Instagram has no limitations. Instagram and Messenger are currently being integrated, so it’s worth considering them as the same when it comes to security.