Facebook has a link problem. Earlier this week, a security researcher named Inti De Ceukelaire detailed a curious fact about how Facebook Messenger treats privately shared links. Through the right API call, De Ceukelaire was able to summon links shared by specific users in private messages. The links were collected by the Facebook crawler, where De Ceukelaire discovered they were easily accessible to anyone running a Facebook app. Those links could be anything from a popular news story to directions to an abortion clinic. As long as they’re shared in private messages, they’re logged in Facebook’s database, and accessible to API calls.
It would be hard to exploit that bug at scale for a few different reasons.
Still, the bug points to a number of lingering problems with the conflicting way web services treat URLs, and how those conflicts can put private information into public view.
The practice of scanning links is larger than just Facebook. URLs are a common place for sites to collect data, either by routing the link through an intermediary or dropping some query tags at the end of the URL. That’s a great way to keep track of where people are coming from, but it can cause real privacy concerns, as Facebook is now discovering. Twitter was hit with a similar lawsuit last month, alleging that link-shortening measures in direct-messaged links constituted a violation of privacy. If bit.ly knows which links to shorten, they know which links are being sent to you.
But while some systems are using URLs as public data points, other systems are using them as passwords. If you’re sharing a Google document or a Dropbox folder, that URL is as much of a password as an address, a system that also plays a central role in Google Photos. Scooping up those URLs in transit is a genuine security risk, exposing potentially sensitive documents to third-party intermediaries.
That leaves consumers in a tricky place. When Google gives you a private 40-character URL, how are you meant to share it without allowing it be scraped?
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
1 Comment
Tomi Engdahl says:
Russell Brandom / The Verge:
Links shared in Facebook Messenger can be uncovered by anyone through querying Facebook’s API
Facebook has a problem with private links
Developers are able to view privately shared links by querying the company’s database
http://www.theverge.com/2016/6/10/11903048/facebook-messenger-private-link-scraping-database
Facebook has a link problem. Earlier this week, a security researcher named Inti De Ceukelaire detailed a curious fact about how Facebook Messenger treats privately shared links. Through the right API call, De Ceukelaire was able to summon links shared by specific users in private messages. The links were collected by the Facebook crawler, where De Ceukelaire discovered they were easily accessible to anyone running a Facebook app. Those links could be anything from a popular news story to directions to an abortion clinic. As long as they’re shared in private messages, they’re logged in Facebook’s database, and accessible to API calls.
It would be hard to exploit that bug at scale for a few different reasons.
Still, the bug points to a number of lingering problems with the conflicting way web services treat URLs, and how those conflicts can put private information into public view.
The practice of scanning links is larger than just Facebook. URLs are a common place for sites to collect data, either by routing the link through an intermediary or dropping some query tags at the end of the URL. That’s a great way to keep track of where people are coming from, but it can cause real privacy concerns, as Facebook is now discovering. Twitter was hit with a similar lawsuit last month, alleging that link-shortening measures in direct-messaged links constituted a violation of privacy. If bit.ly knows which links to shorten, they know which links are being sent to you.
But while some systems are using URLs as public data points, other systems are using them as passwords. If you’re sharing a Google document or a Dropbox folder, that URL is as much of a password as an address, a system that also plays a central role in Google Photos. Scooping up those URLs in transit is a genuine security risk, exposing potentially sensitive documents to third-party intermediaries.
That leaves consumers in a tricky place. When Google gives you a private 40-character URL, how are you meant to share it without allowing it be scraped?