Have you ever sent your friend a link to something funny on Facebook Messenger? There’s a chance that someone you don’t know has seen that link.
A quirk in Facebook’s developer tools lets anyone see links others have shared using Facebook Messenger – and Facebook doesn’t plan on fixing this problem anytime soon.
If you don’t think that’s a problem, then take a look back through the links you’ve sent to people on Facebook. There’s a good chance there are links to private YouTube videos, private cloud files, and other sensitive information.
Without getting too technical, here’s the basic version of how the Facebook Messenger flaw works:
-Every link you share – as well as everything that’s ever been shared to Facebook – is assigned an identification number. That’s normal and okay – it’s the same way a lot of data is handled on other platforms.
-Using the Facebook API developer tools, anyone can search for items using these identification numbers. This can lead to “access denied” errors in some cases, although researchers were stable to access links shared on Facebook using this method.
-The discovered links don’t necessarily need to be made public to the wider world for someone to access them using this method.
-Researchers found they were able to access links shared via Facebook Messenger as well as through the main Facebook site.
One reason why this isn’t as serious a flaw as it seems is that you can only find links at random using this method. You can’t target a friend or celebrity to check their updates. So the odds of you stumbling upon anything relevant are remote (remember that Facebook has over 1 billion active daily users).
Still, this is a serious security flaw. The fact that someone could randomly find updates and links you’ve shared via Facebook or Messenger is troubling, to say the least.
It’s not out of the realm of possibility that an attacker could write a script and harvest random links in bulk looking for personal information to exploit. How many millions of links can be crawled through before you find some incriminating personal information?
Checkpoint – the same research team that found the exploit listed above – recently found another flaw in Messenger that allowed attackers to modify old Facebook chat logs.
Facebook fixed that flaw. But for whatever reason, they don’t plan to fix this next flaw.
A CheckPoint researcher claims he received a respond from Facebook stating that the issue he found is “publicly-documented [sic] and intentional behavior”. In other words, there’s no reasonable expectation of privacy – despite the fact that the links were shared using Messenger and not publically shared on Facebook.
Ultimately, smart people have always avoided sharing personal stuff on Facebook Messenger. Now, with this latest exploit discovered, it’s a good idea to stop sharing personal links via Facebook Messenger – you never know who’s going to look at that link.