Security News > 2020 > October > Researchers: LinkedIn, Instagram Vulnerable to Preview-Link RCE Security Woes
UPDATE. Link previews in popular chat apps on iOS and Android are a firehose of security and privacy issues, researchers have found.
When a user sends a link through, it renders a short summary and a preview image in-line in the chat, so other users don't have to click the link to see what it points to.
"It must somehow automatically open the link to know what's inside. But is that safe? What if the link contains malware? Or what if the link leads to a very large file that you wouldn't want the app to download and use up your data."
After the researchers sent a report to the LINE security team, the company updated its FAQ to include a disclosure that they use external servers for preview links, along with information on how to disable them.
Facebook Messenger and its sister app Instagram Direct Messages are the only ones in the testing that put no limit on how much data is downloaded to generate a link preview.
News URL
https://threatpost.com/linkedin-instagram-preview-link-rce-security/160600/
Related news
- Ivanti fixes RCE vulnerability reported by NATO cybersecurity researchers (CVE-2023-41724) (source)
- Researchers Identify Multiple China Hacker Groups Exploiting Ivanti Security Flaws (source)
- Microsoft April 2024 Patch Tuesday fixes 150 security flaws, 67 RCEs (source)
- Chinese government website security is often worryingly bad, say Chinese researchers (source)