Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Privacy

GIFs in messaging apps are tracking you

Christi Rogalski by Christi Rogalski
July 19, 2022
in Privacy
0
Giphy user data privacy leak
12
SHARES
2.4k
VIEWS
Share on FacebookShare on Twitter

Today, the dynamic moving image, GIF sent to a friend or colleague, perfectly expresses our emotions and lightens the mood of the receiver(s). However, several concerns have been raised about the leak of user information when searching and sharing the perfect GIF in some messaging apps. One of such was reported at Security Risk Advisors (SRA), where a researcher investigated Giphy’s integration on some popular messaging apps and detailed the findings along with suggestions for improving user privacy.

You might also like

Google Chrome exposes user extensions to fingerprinting

Chrome Browser Extension Vytal Prevents Privacy Leaks

Are Bluetooth signals being used to track smartphones?

How Giphy may be tracking you

To integrate and open up the library that contains millions of GIFs and stickers for users, a request needs to be made from the search API on the client side. Every call returned a URL with the “cid” parameter and a 40-character search id. This search ID is determined by factors like search string, results requested, results rating, results offset, geographical area, and time of the search.

  • When you make a search request, every GIF returned will have the same cid
  • The first 8 characters (“app id”) are consistent across every search made with the same API token. For example:
    • Teams searches start with “de9bf95e”
    • Discord searches start with “73b8f7b1”
    • Signal (on Android) searches start with “c95d8580”

Below is an example:

https://media0.Giphy.com/media/Ju7l5y9osyymQ/Giphy.gif?cid=de9bf95evmdivzh16orm7svyp9ticugu4abuyc3ty2df5y9i&rid=Giphy.GIF

Searches made from the same API key have the same first 8 characters. From the example above, de9bf95e is the app id for gif search on Team. Gif searches on Discord and Signal (Android) have app IDs of “73b8f7b1” and “c95d8580” respectively.

Also, the same search id is attributed to every image received from the same keyword search. Though it may change occasionally, the search id is consistent for subsequent searches with the same API key on the same host. That implies different people in the same geographical location get the same search id if the query is done on the same API key.

Given that the cid parameter is not dynamic, a gif URL sent to a friend leaves some footprints, though not your IP, in the message history.

Signal

As explicitly stated in Signal’s blog posts here and here, Signal serves as a privacy-preserving proxy between the users and Giphy. It ensures there’s no direct communication between you, the Signal user, and the Giphy server. Your gif search on Signal is transferred over its assigned network API to Giphy. The way Signal communicates, no other data besides the cid parameter in the URL gets to Giphy’s servers.

In addition to that, the communication between Signal and Giphy is TLS, meaning both the plaintext sent and the result of your search are encrypted. In essence, Signal service knows who you are based on your data with them but not your search. The Giphy server, on the other hand, knows what you are searching for but not your personal information.

Signal leaking Giphy data
Signal not Leaking your data through Giphy, source: SRA

How Signal can improve privacy

Hard to improve the privacy on Signal without compromising the user experience. The encrypted, proxy setup makes it almost impossible for Giphy to know your IP address. However, it may employ small details like search patterns or cache to discern that the request is coming from the same host without knowing the origin. On the Signal side, there is a possibility of inflating user activity with fake searches and download requests. But the cost of bandwidth will make this tactic not worth Signal’s time.

Discord

Though Discord is powered by the Google GIF search engine, Tenor, users can search and send GIFs with Giphy using the /Giphy command. Unlike making a query on Signal, searching for GIFs this way creates a direct connection between the user and Giphy servers.

Discord leaking giphy data
Discord leaking your data via Giphy, source: SRA

First, the discord app forwards the user’s search string to Giphy. A search result is returned to the discord server, which then processes the feedback and sends the preview URL to the user. From there, there is a direct line of communication with which the user requests previews directly from the Giphy servers. These preview requests contain the cid parameter and a referer header that leak user data to Giphy. Access to the exact URL channel from the referer header and other information in the cid parameter gives Giphy the foundation for constructing information about which channel you use, who you are messaging, your current emotional state, and so on.

It should be noted that this hypothetical scenario is different when sending and retrieving gifs where the requests are handled on a proxy.

In what ways can Discord improve your privacy?

The first is to remove the cid parameters from the preview URL before a request is sent to the Giphy servers. Also, not sending the referer header along with GIF preview requests eliminates a major privacy concern. Lastly, all proxy GIF previews should first be filtered through discord servers.

Microsoft Teams

For whatever reason, Microsoft grants Giphy a free hand when it comes to users’ privacy. If enabled by the admin, Request GIF previews from queries you make are sent directly to Giphy servers without proxy. With your cid token easily accessible on Giphy servers, the IP addresses of people in your group downloading your sent GIFs are available on a platter. Combined with other data collection techniques, It’s safe to say Facebook has what it needs to construct profiles of your colleagues, friends, and family as well as your emotions. Strangely, this privacy concern does not surface when you make use of a third-party custom search extension available on Teams. All media URLs are then converted to proxies URLs.

Microsoft teams leaking giphy data
How Microsoft Teams leaks Giphy data, source: SRA

Final Thoughts

GIFs spice up our messaging and many people generally like them. However, some messaging apps may leak information as a result of poor design and negligence of user privacy. Signal seems more privacy-oriented without compromising user experience. On the other hand, Discord leaks a lot of information via GIF previews while Microsoft Teams apparently gives Giphy access to its user’s information.

Source: Security Risk Advisors
Tags: GiphyMessaging Apps
Share58Tweet36
Christi Rogalski

Christi Rogalski

Christi began her InfoSec carrier at the Illinois Institute of Technology where she received her Bachelor of Science degree in Applied Cybersecurity and Information Technology. Her passions include learning about new threats in the security world, investing, and playing with her dog, Pablo.

Recommended For You

Google Chrome exposes user extensions to fingerprinting

by Kyle
July 1, 2022
0
Google Chrome Extension fingerprinting source

Security researcher, z0ccc, has released a new tool that proves that Google Chrome extensions can be fingerprinted which allows tracking of its users online. Tracking users online is...

Read more

Chrome Browser Extension Vytal Prevents Privacy Leaks

by Christi Rogalski
June 19, 2022 - Updated on June 20, 2022
0
Vytal Chrome Extension spoofs location data

Released in 2008, Google Chrome is a cross-platform web browser. With over 3.2 billion internet users worldwide, there's no denying that Chrome is the most popular browser today....

Read more

Are Bluetooth signals being used to track smartphones?

by Christi Rogalski
June 17, 2022
0
Bluetooth research leads to tracking

Can Bluetooth signals be used to track smartphones? Many people would say "No" to this question. However, a team of engineers at the University of California San Diego...

Read more

How Apple Stopped $1.5 billion Worth of Fraudulent Transactions in 2021

by Christi Rogalski
June 8, 2022
0
Apple app store security fraud

Apple has recently released statistics on the number of fraudulent and untrustworthy transactions that have passed through the Apple App Store in 2021. In combination, they have stopped...

Read more

Tails OS Developers Warn Users to not use their Operating System

by Kyle
May 28, 2022
0
Tails OS 5.0 zero-day

The developers of the popular Tails OS (operating system) are warning its users to cease use of their tool due to privacy concerns after the discovery of a...

Read more
Next Post
BlueSky Ransomware backdoors KMSAuto activator

BlueSky Ransomware Infects KMSAuto Activator users

Related News

BreachForums Owner Arrested and Charged

BreachForums Owner Arrested and Charged

March 17, 2023
ChipMixer platform tied to crypto laundering scheme – seized by authorities

ChipMixer platform tied to crypto laundering scheme – seized by authorities

March 17, 2023
NSA intercepting U.S. Routers

NSA intercepting U.S. Routers

June 6, 2014 - Updated on March 17, 2023
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology News
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
  • Exploits
  • Data Breaches
  • Malware
  • Privacy
  • Mobile Security
  • Tools
  • Contact Us
  • Privacy Policy

© 2022 ZeroSecurity, All Rights Reserved.