Developers, Tommy Mysk and Talal Haj Bakry, have identified a privacy and security threat on Facebook's platforms.
The vulnerability appears when a user shared a link on Facebook Messenger or in Instagram messages and created a preview of the link. The lin's data uploads to Facebook's servers. The links could contain invoices, contracts, medical records, and confidential information.
The developers initially contacted Facebook to report that they had discovered the vulnerability, but Facebook answered that the feature is working correctly.
Then Facebook released an update without link previews in Messenger and Instagram, but only in Europe. The company needed to remove them to comply with strict EU privacy laws because downloading and storing data from users' links violates them.
The developers believe that such an action by Facebook suggests that the service can use the content of links for more than just creating previews.
Mysk and Bakry also checked Twitter, Slack, and Discord. Facebook platforms were the only ones to download more than 50MB of data for each link. Other platforms downloaded no more than 50MB to generate the information needed to preview the link.
At the end of 2020, Facebook announced changes to its platforms but did not specify what exactly those changes would be.
We want to note that Facebook still generates link previews and downloads all data from linked pages everywhere outside the EU.