Facebook looks to offer encrypted calls
Recommended For You
Why You Should Stop Using This ‘Dangerous’ Wi-Fi Setting On Your iPhone
Huawei Launches Stunning New Strike At Google To Beat Android
Microsoft Teams Battles Zoom With Superb New Features
This type of link preview is a fairly safe security bet, the researchers explain. “The receiver would be protected from risk if the link is malicious. This approach assumes that whoever is sending the link must trust it, since it’ll be the sender’s app that will have to open the link.”The opposite approach is receiver-side link previews—and this is dangerous. It means that anyone can send you a malicious link that your device might automatically follow to download malware or it might disclose your IP address and betray your location. This presents an attack vector to discover target locations. Mysk and Haj Bakry only found two messengers that took this approach, both of which are patching the vulnerability. Only one was a mainstream messenger—its identity is not being disclosed until a fix is released.
Which brings us to the final option, the Facebook Messenger approach—server-side link previews. As the report explains, “when you send a link, the app will first send it to an external server and ask it to generate a preview, then the server will send the preview back to both the sender and receiver.” But this is a potential security nightmare. “Facebook Messenger doesn't provide link previews at all in its secret conversations, which are end-to-end encrypted,” Mysk told me. “All the vulnerabilities we discovered in Facebook Messenger occur in normal chats. This somehow shows that Facebook admits that the way link previews are treated in the normal chats may impact user privacy.”
On Friday evening, several editors at The Verge across the country — on both iOS and Android devices — noticed an update screen popped up in Instagram’s mobile app with the message “There’s a New Way to Message on Instagram” with a list of features including a “new colorful look for your chats,” more emoji reactions, swipe-to-reply, and the big one: “chat with friends who use Facebook.”.
As the researchers explain in their report, “links shared in chats may contain private information intended only for the recipients. This could be bills, contracts, medical records, or anything that may be confidential... Although these servers are trusted by the app, there’s no indication to users that the servers are downloading whatever they find in a link. Are the servers downloading entire files, or only a small amount to show the preview? If they’re downloading entire files, do the servers keep a copy, and if so for how long? And are these copies stored securely, or can the people who run the servers access the copies?”This goes way beyond links to public domain websites. “Say you were sending a private Dropbox link to someone,” Mysk and Haj Bakry warn, “and you don’t want anyone else to see what’s in it. With this approach, the server will need to make a copy (or at least a partial copy) of what’s in the link to generate the preview... So that secret design document that you shared a link to from your OneDrive, and you thought you had deleted because you no longer wanted to share it? There might be a copy of it on one of these link preview servers.” A number of messaging platforms take this approach—Facebook Messenger and stablemate Instagram, LinkedIn, Slack, Twitter, Zoom and Google Hangouts among them. But only Facebook’s platforms were seen downloaded massive files, beyond the size needed for a preview. While others stopped at 20 to 50MB, the researchers saw Facebook download a 2.6GB file onto its servers. “The moment the link was sent, several Facebook servers immediately started downloading the file from our server… 24.7GB of data was downloaded from our server by Facebook servers... It’s still unclear to us why Facebook servers would do this when all the other apps put a limit on how much data gets downloaded.”
According to Mysk, “the servers need to open the links and download what's in there. This information is not communicated to the users who might be sending links to private information, such as a private link to a PDF document. While users are led to believe that they are in a private space, the apps send information exchanged in the chat to external servers without the users being aware of that. Those external servers, although run by the app operator, do get a copy of data shared in the link.”
Facebook at least restricts its unlimited downloads to media files—Instagram would seem to download any size of any kind of file. But remember, Instagram and Messenger are currently being integrated. So it’s worth considering them as the same when it comes to security.While this problem is not limited to Facebook Messenger, that is the only mainstream messenger tested that takes this approach with private user data, regardless of file size. Most of the other platforms using this type of link previews are not dedicated messengers as such, more providers of DMs within other services. Few people trust Twitter DMs, for example, to send large, private attachments unrelated to the app.
For users of these messaging platforms, the key takeaway is stark and obvious. If you are sending anything private or personal, ensure you use an end-to-end encrypted platform to do so. This should highlight just how easy it is for a platform that offers only app-server encryption to access your content. But then we already know that Facebook reads unencrypted content—the only surprise is that it will download it to its own servers.
In response to the new report, Facebook told me “these are not security vulnerabilities. The behavior described is how we show previews of a link on Messenger or how people can share a link on Instagram, and we don’t store that data. This is consistent with our data policy and terms of service.” The company also told me that additional security measures operated behind the scenes, to protect against remote code execution attacks—albeit Mysk and Haj Bakry claim to have shown just such a code-execution vulnerability in action. As for the privacy concerns, Facebook acknowledged that its monitoring of non-encrypted chats is now in the public domain.
Facebook itself is one of the world’s primary advocates for end-to-end encryption. It launched secret conversations on Messenger to mitigate the risk of a compromise to its own infrastructure. For technical reasons, though, it cannot make this the default. Facebook is also a leading defender of the encryption used by Messenger’s stablemate WhatsApp, whose explanation for why you need end-to-end encryption summarizes it perfectly. “Some of your most personal moments are shared with WhatsApp, which is why we built end-to-end encryption into our app. When end-to-end encrypted, messages, photos, videos, voice messages, documents, and calls are secured from falling into the wrong hands.” This new report shows what all that means in practice. And so, if you’re sticking rigidly to a poorly secured messaging platform, including Facebook Messenger or, worse, SMS, then now’s the time to switch. WhatsApp remains a good everyday choice with a huge user base and all the functionality you need, notwithstanding Facebook’s monetization drive. But there are clearly even more secure options if you want to escape Facebook altogether.
Facebook ‘Privacy Matters’ reveals 5000 app developers continued to receive previously authorized users’ data after access should have automatically expired.But in a satirical turn of events, Facebook announced via Privacy Matters that some third-party applications continued to receive previously authorized users’ data after access should have automatically expired.