I recently found that there is a room setting to enable the generation of URL previews. This makes me wonder, though: Who is generating the thumbnails? Does the server generate them, and then send the images back (this is an obvious privacy, and security vulnerability)? Does a user generate them locally, and send them to the other recipient (this is what Signal does)? Does the receiver generate them on their end (this is also a potential security vulnerability)?
EDIT (2023-10-01T21:38Z): I found this documentation which outlines the possible methods, but, from what I can see, it doesn’t specify what one is actually used in practice. I was also unable to find any information in the Matrix spec.
EDIT (2023-10-01T21:41Z): In this set of release notes for Synapse 1.45.1, I found the following:
Note that URL previews are generated server-side, and thus generally disabled in encrypted rooms to avoid leaking information about message content to your homeserver. You may need to adjust the room’s settings to see the new oEmbed previews.
If this is true, and all thumbnails are generated serverside, this is an enourmous security, and privacy risk.
EDIT (2023-10-01T22:18Z): Further research has found the following two open issues:
- Option to generate URL previews at the receiving client, not the server
- Consider making the sender generate url previews, as with e2e thumbnails
This confirms my suspicion – at the very least, for Element (I have still been unable to find any official standardized method within the Matrix protocol). My PSA that I would provide, then, to any who are reading this, is to not enable thumbnail generation, as it is a major privacy, and security vulnerability.
It depends on what the defaults are for the client that you are using. Element, for example, defaults to E2EE.
In my opinion this isn’t a huge deal, but you do have a point in that it could be an attack vector for phishing.