Security News > 2020 > October > Researchers: LinkedIn, Instagram Vulnerable to Preview-Link RCE Security Woes
UPDATE. Link previews in popular chat apps on iOS and Android are a firehose of security and privacy issues, researchers have found.
When a user sends a link through, it renders a short summary and a preview image in-line in the chat, so other users don't have to click the link to see what it points to.
"It must somehow automatically open the link to know what's inside. But is that safe? What if the link contains malware? Or what if the link leads to a very large file that you wouldn't want the app to download and use up your data."
After the researchers sent a report to the LINE security team, the company updated its FAQ to include a disclosure that they use external servers for preview links, along with information on how to disable them.
Facebook Messenger and its sister app Instagram Direct Messages are the only ones in the testing that put no limit on how much data is downloaded to generate a link preview.
News URL
https://threatpost.com/linkedin-instagram-preview-link-rce-security/160600/
Related news
- Researchers Uncover Major Security Vulnerabilities in Industrial MMS Protocol Libraries (source)
- WeChat devs introduced security flaws when they modded TLS, say researchers (source)
- Researchers Discover Severe Security Flaws in Major E2EE Cloud Storage Providers (source)
- Apple Opens PCC Source Code for Researchers to Identify Bugs in Cloud AI Security (source)
- Germany drafts law to protect researchers who find security flaws (source)