If you’re one of the billion-plus people using Facebook Messenger, then you’d be well-advised to switch to an alternative. Unlike its Facebook stablemate WhatsApp, Messenger is missing the critical security required to protect your content from prying eyes. Everything you send on Messenger passes through Facebook servers to which it has access. We know Facebook “spies” on this content to make sure you’re following its rules, well a new security report claims it also downloads your private content to its own servers without any warning.
The team behind the report has good form in holding major tech platforms to account on security grounds. Tommy Mysk and Talal Haj Bakry pushed Apple into the clipboard access warnings that are such a famed part of iOS 14; their research also caught TikTok indiscriminately reading Apple users’ clipboards, part of the technical backlash that ultimately led to U.S. action against the viral Chinese platform.
Mysk and Haj Bakry had initially set out to study how various messaging platforms handled so-called “link previews.” When you send a link to a website, a news article or other online content—including private documents, the recipient of your message will often see a preview of that content. Clearly this requires the link to be followed somewhere and somehow, and its data returned. The way that’s done, though, is critical. Get it wrong and messaging platforms can access private data, download personal information to their servers, even expose user locations.
“We think link previews are a good case study of how a simple feature can have privacy and security risks,” the team says in its report, issued today. While Mysk and Haj Bakry found that a number of messaging platforms don’t risk link previews at all—including, somewhat ironically, TikTok and WeChat, the main end-to-end encrypted messengers, including WhatsApp and iMessage, generate link previews on the sender-side. “When you send a link, [your own messaging] app will go and download what’s in the link. It’ll create a summary and a preview image of the website, and it will send this as an attachment along with the link.” Uber-secure Signal offers either to disable or use sender-side link previews.
This type of link preview is a fairly safe security bet, the researchers explain. “The receiver would be protected from risk if the link is malicious. This approach assumes that whoever is sending the link must trust it, since it’ll be the sender’s app that will have to open the link.”
The opposite approach is receiver-side link previews—and this is dangerous. It means that anyone can send you a malicious link that your device might automatically follow to download malware or it might disclose your IP address and betray your location. This presents an attack vector to discover target locations. Mysk and Haj Bakry only found two messengers that took this approach, both of which are patching the vulnerability. Only one was a mainstream messenger—its identity is not being disclosed until a fix is released.
Which brings us to the final option, the Facebook Messenger approach—server-side link previews. As the report explains, “when you send a link, the app will first send it to an external server and ask it to generate a preview, then the server will send the preview back to both the sender and receiver.” But this is a potential security nightmare. “Facebook Messenger doesn’t provide link previews at all in its secret conversations, which are end-to-end encrypted,” Mysk told me. “All the vulnerabilities we discovered in Facebook Messenger occur in normal chats. This somehow shows that Facebook admits that the way link previews are treated in the normal chats may impact user privacy.”
As the researchers explain in their report, “links shared in chats may contain private information intended only for the recipients. This could be bills, contracts, medical records, or anything that may be confidential… Although these servers are trusted by the app, there’s no indication to users that the servers are downloading whatever they find in a link. Are the servers downloading entire files, or only a small amount to show the preview? If they’re downloading entire files, do the servers keep a copy, and if so for how long? And are these copies stored securely, or can the people who run the servers access the copies?”
This goes way beyond links to public domain websites. “Say you were sending a private Dropbox link to someone,” Mysk and Haj Bakry warn, “and you don’t want anyone else to see what’s in it. With this approach, the server will need to make a copy (or at least a partial copy) of what’s in the link to generate the preview… So that secret design document that you shared a link to from your OneDrive, and you thought you had deleted because you no longer wanted to share it? There might be a copy of it on one of these link preview servers.”
A number of messaging platforms take this approach—Facebook Messenger and stablemate Instagram, LinkedIn, Slack, Twitter, Zoom and Google Hangouts among them. But only Facebook’s platforms were seen downloaded massive files, beyond the size needed for a preview. While others stopped at 20 to 50MB, the researchers saw Facebook download a 2.6GB file onto its servers. “The moment the link was sent, several Facebook servers immediately started downloading the file from our server… 24.7GB of data was downloaded from our server by Facebook servers… It’s still unclear to us why Facebook servers would do this when all the other apps put a limit on how much data gets downloaded.”
According to Mysk, “the servers need to open the links and download what’s in there. This information is not communicated to the users who might be sending links to private information, such as a private link to a PDF document. While users are led to believe that they are in a private space, the apps send information exchanged in the chat to external servers without the users being aware of that. Those external servers, although run by the app operator, do get a copy of data shared in the link.”
Facebook at least restricts its unlimited downloads to media files—Instagram would seem to download any size of any kind of file. But remember, Instagram and Messenger are currently being integrated. So it’s worth considering them as the same when it comes to security.
While this problem is not limited to Facebook Messenger, that is the only mainstream messenger tested that takes this approach with private user data, regardless of file size. Most of the other platforms using this type of link previews are not dedicated messengers as such, more providers of DMs within other services. Few people trust Twitter DMs, for example, to send large, private attachments unrelated to the app.
The researchers also say they discovered that Instagram would even run code if that’s where a link led its servers—they claim that sending a malicious JavaScript code link on an Instagram DM would cause Facebook’s servers to run the code. “We showed [Facebook] that an attacker could run any JavaScript code on their servers by sending links to a malicious website owned by the attacker,” Mysk explained. “They dismissed this case by saying that they have anti-abuse mechanisms in place in order to stop malicious individuals.”
For users of these messaging platforms, the key takeaway is stark and obvious. If you are sending anything private or personal, ensure you use an end-to-end encrypted platform to do so. This should highlight just how easy it is for a platform that offers only app-server encryption to access your content. But then we already know that Facebook reads unencrypted content—the only surprise is that it will download it to its own servers.
In response to the new report, Facebook told me “these are not security vulnerabilities. The behavior described is how we show previews of a link on Messenger or how people can share a link on Instagram, and we don’t store that data. This is consistent with our data policy and terms of service.” The company also told me that additional security measures operated behind the scenes, to protect against remote code execution attacks—albeit Mysk and Haj Bakry claim to have shown just such a code-execution vulnerability in action. As for the privacy concerns, Facebook acknowledged that its monitoring of non-encrypted chats is now in the public domain.
Facebook itself is one of the world’s primary advocates for end-to-end encryption. It launched secret conversations on Messenger to mitigate the risk of a compromise to its own infrastructure. For technical reasons, though, it cannot make this the default. Facebook is also a leading defender of the encryption used by Messenger’s stablemate WhatsApp, whose explanation for why you need end-to-end encryption summarizes it perfectly. “Some of your most personal moments are shared with WhatsApp, which is why we built end-to-end encryption into our app. When end-to-end encrypted, messages, photos, videos, voice messages, documents, and calls are secured from falling into the wrong hands.”
This new report shows what all that means in practice. And so, if you’re sticking rigidly to a poorly secured messaging platform, including Facebook Messenger or, worse, SMS, then now’s the time to switch. WhatsApp remains a good everyday choice with a huge user base and all the functionality you need, notwithstanding Facebook’s monetization drive. But there are clearly even more secure options if you want to escape Facebook altogether.
“Apps that generate link previews on servers might leak the content of links,” Mysk warns. “If the leaked content is deemed personal, then personal user data is definitely at risk. It is unclear for how long such servers store the data, and if these servers store the data securely or conform to the same privacy policy that the app states. Since Facebook didn’t answer any of these privacy concerns, I’d refrain from sending links to private information in such apps. If you want to be on the safe side, just switch to an end-to-end encrypted app.”