Talal Haj Bakry and Tommy Mysk, who you may remember from their work on pasteboard snooping, have a new report describing various ways generated link previews in chat apps can compromise privacy and security:
Link previews in chat apps can cause serious privacy problems if not done properly. We found several cases of apps with vulnerabilities such as: leaking IP addresses, exposing links sent in end-to-end encrypted chats, and unnecessarily downloading gigabytes of data quietly in the background.
Apparently, Facebook Messenger and Instagram will download link previews no matter the file size server-side — and, get this, Facebook says that this feature is working as intended.
So, if a person wanted to be kind of an asshole to someone, they could just send a direct link to a massive image or video file over Instagram, and this is apparently something Facebook has no intention of fixing.
Also, there appear to be a handful of services redacted from this report. Stay tuned, I guess.
Update: I misread this report and I regret the error.