Private Links Shared on Facebook Messenger Aren't So Private: Report

Privacy and security has been a contentious issue with all social networks, and Facebook is no exception. We've suggested to our readers to perform a digital clean-up to ensure their account is safe. However, a recent report suggested that a new vulnerability related to Facebook's Messenger app as well as online chat could allow an attacker to change or modify a conversation in the thread. The company however patched the bug fixing the issue.

Now, security researcher Inti De Ceukelaire in a Medium post has claimed that links shared privately on Messenger can be read by Facebook and developers with access to its API. Ceukelaire informed the company about the issue and was shocked to learn that "Facebook had no problems with privately shared links being accessible."

Ceukelaire was able to access the links using Facebook's crawler tool. The social giant describes the tool as, "Content is most often shared to Facebook in the form of a webpage. The first time someone shares a link, the Facebook crawler will scrape the HTML at that URL to gather, cache and display info about the content on Facebook like a title, description, and thumbnail image."

During his testing, Ceukelaire discovered that all the objects saved on Facebook such as images, status, or even a link was given a "unique, non-chronological identification number". He noticed Mark Zuckerberg was object number four on Facebook.

He noted that developers can request an object via Facebook API (an interface for developers) by its number which will return with the details "only" if they had permission to access. After some more searching, he decided to request a URL for the queried object and was given the link address. He then "wrote a quick script that would take any identification number and increment it gradually to discover other links," and discovered he was returned a list of URLs shared by users.

"[While] it's not possible to get links for a specific user, you could easily run through results all day* until you find something interesting. *Yes, Facebook does block excessive requests but there are ways to bypass that, e.g., using multiple access tokens and if needed, VPN's. Rate limiting won't stop someone who is determined," he added.

He pointed out that the results didn't confirm the user who shared the link but it was not hard considering the user ID was linked to the results shown. The researcher points out the shared links can sometimes carry personal details which the user doesn't intend to share with others.

"While you may only share links to funny cat videos with your friends, you should still be worried about this exploit. Sometimes, sensitive information (personal data, secret keys, ...) are included in links without you even noticing," adds Ceukelaire.