I recently found that there is a room setting to enable the generation of URL previews. This makes me wonder, though: Who is generating the thumbnails? Does the server generate them, and then send the images back (this is an obvious privacy, and security vulnerability)? Does a user generate them locally, and send them to the other recipient (this is what Signal does)? Does the receiver generate them on their end (this is also a potential security vulnerability)?
EDIT (2023-10-01T21:38Z): I found this documentation which outlines the possible methods, but, from what I can see, it doesn’t specify what one is actually used in practice. I was also unable to find any information in the Matrix spec.
EDIT (2023-10-01T21:41Z): In this set of release notes for Synapse 1.45.1, I found the following:
Note that URL previews are generated server-side, and thus generally disabled in encrypted rooms to avoid leaking information about message content to your homeserver. You may need to adjust the room’s settings to see the new oEmbed previews.
If this is true, and all thumbnails are generated serverside, this is an enourmous security, and privacy risk.
EDIT (2023-10-01T22:18Z): Further research has found the following two open issues:
- Option to generate URL previews at the receiving client, not the server
- Consider making the sender generate url previews, as with e2e thumbnails
This confirms my suspicion – at the very least, for Element (I have still been unable to find any official standardized method within the Matrix protocol). My PSA that I would provide, then, to any who are reading this, is to not enable thumbnail generation, as it is a major privacy, and security vulnerability.
Its not used with e2ee, is it though? At least it’s not the default and I doubt it can even be enabled.
So what is the security flaw assuming we weren’t using e2ee to begin with?
Yes, like RSS bots, bridges, webhook-bots etc all can produce links the recipient might want to see previews for.
Another thing is that e.g. spammers might choose to use a misleading preview. Though I suppose that’s a minor point, probably server-side previews can be tricked as well.
It depends on what the defaults are for the client that you are using. Element, for example, defaults to E2EE.
In my opinion this isn’t a huge deal, but you do have a point in that it could be an attack vector for phishing.