Could receiving a URL link, not clicking on it, ever pose a security problem?

Many browsers send "pings" to any links on a page by performing a DNS query on them to populate the cache. This makes clicking the link faster because the IP is already in the DNS cache. In theory, a bug in this code could be exploitable simply because the link is there. In practice, this isn't an issue. Just because a link exists doesn't mean it can do much to you.


Some software will automatically fetch any URL it sees, even if you don't click it. A few examples:

  • Browsers that are configured to pre-fetch certain URLs so that they load instantly after clicking (this isn't default on any major browser I'm aware of, but I've seen it).
  • Messaging clients that show a preview of the page (text and/or image thumbnail) when you send or receive a message with a link.
  • Browser extensions that pre-fetch certain links to check the page for malware (part of some AV suites).

In any of these cases, a vulnerability in the HTTP client (browser, AV software, messaging app or server, etc.) could be exploited by an attacker. However, such vulnerabilities are relatively rare unless the client supports JS (it is very hard to make a JS engine fully secure, though of course the developers try) and often sandboxed to limit the damage even if they are vulnerable.

Also, note that - in an ideal world where everything works correctly - fetching a URL would always be safe (it shouldn't be possible for fetching a URL to do anything harmful) and wouldn't even be state-changing (GET should be idempotent). Obviously, the real world is not nearly so ideal, since both software vulnerabilities and websites that ignore various standards exist. However, because those things exist, and for privacy reasons (fetching a URL always exposes, at a minimum, an IP address), automatically fetching URLs is relatively rare.

Just looking at a link (without fetching/visiting it) isn't going to be dangerous unless your text rendering library has some seriously wacky bugs, and most likely they could be set off by non-link text in a situation like that anyhow.


Yes We can be pretty sure this can happen, because something very similar to it did: https://www.nbcnews.com/tech/security/android-flaw-could-let-hackers-take-over-phone-text-n399016

Stage-fright: There was a bug that got named Stage-fright which was in the image or video-processing on Android. Because some apps will "view" media automatically to generate a preview, the app automatically runs the media through the buggy library without the need for user intervention.

Back to your question: Currently, many messaging apps, including Discord, generate a preview of links that are sent to you. If a similar bug were to come back, it would almost certainly affect people who view the link without opening it, since the app needs to render the link preview.

Tags:

Url

Related

Trojan "Win32/Tnega!MSR" found by Windows Defender - aliases used by other antiviruses? How do hackers trick frontend validation? Qualys SSL Scan weak cipher suites which are secure according to ciphersuite.info How does one take advantage of unencrypted traffic? Why do password requirements exist while limiting the upper character count? Is there any hope of getting my pictures back after an iPhone factory reset some day in the future? Security implications of granting non-root access to privileged ports (<1024) Alternatives for sending plaintext password while login Why is email often used as the ultimate verification? Why does HTTPS not support non-repudiation? Can password managers read my secure data? If no, how does sharing work under the hood? Is a password-protected stolen laptop safe?

Recent Posts