Why you shouldn’t share links on Facebook — Medium


Consider links you share in private messages as public information anyone can read.

1 Comment

  1. Tomi Engdahl says:

    Russell Brandom / The Verge:
    Links shared in Facebook Messenger can be uncovered by anyone through querying Facebook’s API

    Facebook has a problem with private links
    Developers are able to view privately shared links by querying the company’s database

    Facebook has a link problem. Earlier this week, a security researcher named Inti De Ceukelaire detailed a curious fact about how Facebook Messenger treats privately shared links. Through the right API call, De Ceukelaire was able to summon links shared by specific users in private messages. The links were collected by the Facebook crawler, where De Ceukelaire discovered they were easily accessible to anyone running a Facebook app. Those links could be anything from a popular news story to directions to an abortion clinic. As long as they’re shared in private messages, they’re logged in Facebook’s database, and accessible to API calls.

    It would be hard to exploit that bug at scale for a few different reasons.

    Still, the bug points to a number of lingering problems with the conflicting way web services treat URLs, and how those conflicts can put private information into public view.

    The practice of scanning links is larger than just Facebook. URLs are a common place for sites to collect data, either by routing the link through an intermediary or dropping some query tags at the end of the URL. That’s a great way to keep track of where people are coming from, but it can cause real privacy concerns, as Facebook is now discovering. Twitter was hit with a similar lawsuit last month, alleging that link-shortening measures in direct-messaged links constituted a violation of privacy. If bit.ly knows which links to shorten, they know which links are being sent to you.

    But while some systems are using URLs as public data points, other systems are using them as passwords. If you’re sharing a Google document or a Dropbox folder, that URL is as much of a password as an address, a system that also plays a central role in Google Photos. Scooping up those URLs in transit is a genuine security risk, exposing potentially sensitive documents to third-party intermediaries.

    That leaves consumers in a tricky place. When Google gives you a private 40-character URL, how are you meant to share it without allowing it be scraped?


Leave a Comment

Your email address will not be published. Required fields are marked *