Earlier this month, Belgium-based security researcher Inti De Ceukelaire took to Medium to publish his findings regarding what he perceived to be a privacy-exposing flaw in Messenger, the popular standalone chat app from Facebook.
He found that links shared between users in a chat could be identified by Facebook’s crawler tool, which is used to discern details about a given URL. It is then used to display the information in the format most users see when sharing links on Facebook, with a title, description, and thumbnail image. Each link is given a numerical identifier, which Facebook can use to generate the same information every time after it’s been shared once.
De Ceukelaire notes that there’s nothing wrong with the crawler pulling this information if the data is kept secret, but a tool allows developers to request any object by its number, including links. The tool is only supposed to return the information if the developer has access to it, but De Ceukelaire was able to access links shared in private conversations.
While he couldn’t see who shared a given link, he reliably accessed the exact URL that is represented by a given number assigned by Facebook.
De Ceukelaire approached Facebook regarding the issue, filing a bug report through the social network’s bounty program for reporting security flaws. The company informed him that it was not a bug in need of fixing; in fact, it’s a feature.
The researcher warned the feature could be exploited to discover links that may contain private information. “Links shared through Messenger, private groups, status updates or by using the mobile application seem to be vulnerable to the methods described,” he wrote.
A spokesperson for Facebook told the Daily Dot that it had looked into the report filed by De Ceukelaire and the company is “confident that the risk to URLs people share in messages is very low.” The spokesperson attributed technical protections including rate limiting on requests and throttling that “can detect suspicious activity and which we have recently strengthened further.”
De Ceukelaire noted there are indeed security protocols in place to prevent abuse but suggested a determined user could potentially bypass those measures. He claims to have extracted 70 links in 10 minutes. (About 3 million links are shared on Facebook every hour.)
Additionally, the spokesperson said the technique “could only return random URLs and would not tie the sharing of a link to any particular person on Facebook. We have not seen abuse of this matter, and we are constantly working to make the security of our systems stronger,” adding, “as always, we are focused on keeping your message content safe.”
The contrast between Facebook’s calm explanation and De Ceukelaire’s urgent tone in his blog post—titled “Why you shouldn’t share links on Facebook”—is stark. Even if the situation is as dire as De Ceukelaire suggests, most users would remain unaffected simply due to the volume of content the exploiter must sift through.
It’s still a piece of information to keep in mind when sharing anything over Facebook—or any other social network, for that matter.
This isn’t the first instance that Messenger has been the target of an exploit that put user privacy at risk; last year, researchers found they could track the location of users through the communication platform by silently soliciting pings that would reveal the device location from a rogue network.
Prior to the potential vulnerability being revealed, a Facebook intern revealed the incredible amount of location information Messenger collects from users by compiling a Google Chrome extension that mapped out all the data, showing users exactly where their friends were located while talking to them.