- Animator for Netflix’s ‘Carmen Sandiego’ says he was fired after asking for fair pay Sunday 3:17 PM
- YouTube reverses decision to remove creators’ badges Sunday 1:47 PM
- How video game developer Valve got served secret subpoena as part of FBI’s counterterrorism fight Sunday 12:31 PM
- Aron Eisenberg, ‘Star Trek: Deep Space Nine’ actor, dead at 50 Sunday 11:35 AM
- Who needs glass slippers? This Cinderella cosplayer upgraded with a stunning glass arm Sunday 10:19 AM
- How to check if Yahoo owes you $358 Sunday 9:25 AM
- How to stream Bears vs. Redskins on Monday Night Football Sunday 7:00 AM
- What are the best alternatives to the electoral college? Sunday 6:30 AM
- The best PS4 games you can’t play anywhere else Sunday 6:00 AM
- How to watch the 2019 Emmy Awards Sunday 5:00 AM
- How to stream ‘Power’ season 6, episode 5 Sunday 4:00 AM
- Former developer at software company deletes his code to protest its ties to ICE Saturday 4:21 PM
- A mysterious website is doxing Hong Kong protesters and journalists Saturday 1:44 PM
- The best ‘Skyrim’ followers and how to get them Saturday 1:26 PM
- Why Joel Osteen gets cyberbullied every time Houston floods Saturday 12:40 PM
Earlier this month, Belgium-based security researcher Inti De Ceukelaire took to Medium to publish his findings regarding what he perceived to be a privacy-exposing flaw in Messenger, the popular standalone chat app from Facebook.
He found that links shared between users in a chat could be identified by Facebook’s crawler tool, which is used to discern details about a given URL. It is then used to display the information in the format most users see when sharing links on Facebook, with a title, description, and thumbnail image. Each link is given a numerical identifier, which Facebook can use to generate the same information every time after it’s been shared once.
De Ceukelaire notes that there’s nothing wrong with the crawler pulling this information if the data is kept secret, but a tool allows developers to request any object by its number, including links. The tool is only supposed to return the information if the developer has access to it, but De Ceukelaire was able to access links shared in private conversations.
While he couldn’t see who shared a given link, he reliably accessed the exact URL that is represented by a given number assigned by Facebook.
De Ceukelaire approached Facebook regarding the issue, filing a bug report through the social network’s bounty program for reporting security flaws. The company informed him that it was not a bug in need of fixing; in fact, it’s a feature.
The researcher warned the feature could be exploited to discover links that may contain private information. “Links shared through Messenger, private groups, status updates or by using the mobile application seem to be vulnerable to the methods described,” he wrote.
A spokesperson for Facebook told the Daily Dot that it had looked into the report filed by De Ceukelaire and the company is “confident that the risk to URLs people share in messages is very low.” The spokesperson attributed technical protections including rate limiting on requests and throttling that “can detect suspicious activity and which we have recently strengthened further.”
De Ceukelaire noted there are indeed security protocols in place to prevent abuse but suggested a determined user could potentially bypass those measures. He claims to have extracted 70 links in 10 minutes. (About 3 million links are shared on Facebook every hour.)
Additionally, the spokesperson said the technique “could only return random URLs and would not tie the sharing of a link to any particular person on Facebook. We have not seen abuse of this matter, and we are constantly working to make the security of our systems stronger,” adding, “as always, we are focused on keeping your message content safe.”
The contrast between Facebook’s calm explanation and De Ceukelaire’s urgent tone in his blog post—titled “Why you shouldn’t share links on Facebook”—is stark. Even if the situation is as dire as De Ceukelaire suggests, most users would remain unaffected simply due to the volume of content the exploiter must sift through.
It’s still a piece of information to keep in mind when sharing anything over Facebook—or any other social network, for that matter.
This isn’t the first instance that Messenger has been the target of an exploit that put user privacy at risk; last year, researchers found they could track the location of users through the communication platform by silently soliciting pings that would reveal the device location from a rogue network.
Prior to the potential vulnerability being revealed, a Facebook intern revealed the incredible amount of location information Messenger collects from users by compiling a Google Chrome extension that mapped out all the data, showing users exactly where their friends were located while talking to them.
AJ Dellinger is a seasoned technology writer whose work has appeared in Digital Trends, International Business Times, and Newsweek. In 2018, he joined Gizmodo as the nights and weekend editor.