messenger100644690orig

Security researcher: Anyone can see links you share using Facebook Messenger

When you use a messaging service like Facebook Messenger, you have a reasonable expectation that what you say is private and secure. But due to a quirk in how Facebook handles certain pieces of information, just about anyone who knows how to use Facebook’s developer API can view links that others have sent over Facebook Messenger.

In a post published to Medium, security researcher Inti De Ceukelaire explains how this works. Without getting too technical, every link you share—as well as just about anything else that’s ever been shared to Facebook—has an identification number of sorts assigned to it. As De Ceukelaire notes, “there’s absolutely nothing wrong with this. At least when this data is kept secret.” 

De Ceukelaire tested to see if he could search for items by these identification numbers using the Facebook API developer tools. And while he got “access denied” errors in most cases, he discovered that he could access links shared on Facebook this way.

With help from a friend, De Ceukelaire was able to verify what he found—and as it turns out, links don’t necessarily need to be made public to the wider world for someone to access them using this method. The pair also discovered that they were able to access links shared via Facebook Messenger. 

Why this matters: It’s important to note that you can only find links at random using this method—you can’t, say, view links shared only by one of your friends. So while odds are relatively slim that any particular link you share will be harvested this way—Facebook has over one billion active daily users, according to the company—the fact that any link you share on Facebook could be found at random is a little troubling.

Facebook’s going to fix this, right?

This is the second time in the past week that security researchers have highlighted security problems involving Facebook Messenger. Researchers with security software firm CheckPoint recently identified a bug that allowed attackers to actually modify old Facebook chat logs. Facebook fixed that flaw, but don’t wait for Facebook to fix De Ceukelaire’s issue any time soon.

According to a response De Ceukelaire received from Facebook, the issue he discovered is “publicly-documented [sic] and intentional behavior.” Although De Ceukelaire says he respects Facebook’s decision, he also feels that “it is our right to know who can see the data we share.”

While app and web developers may find this sort of feature useful, it also means that attackers could write a script and harvest random links in bulk and look for personal information to exploit. As De Ceukelaire notes, “links sometimes include personal stuff without you even knowing.”

In the meantime, it’s probably a good idea to avoid sharing links via Facebook Messenger unless you want some random person snooping in your URLs.

IDG Insider

PREVIOUS ARTICLE

« Nvidia quietly kills 3- and 4-way SLI support for GeForce GTX 10-series graphics cards

NEXT ARTICLE

Regional cable network Southern FiberNet to stream live TV channels over the web for as little as $5 per month »
author_image
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail

Recommended for You

International Women's Day: We've come a long way, but there's still an awfully long way to go

Charlotte Trueman takes a diverse look at today’s tech landscape.

Trump's trade war and the FANG bubble: Good news for Latin America?

Lewis Page gets down to business across global tech

20 Red-Hot, Pre-IPO companies to watch in 2019 B2B tech - Part 1

Martin Veitch's inside track on today’s tech trends

Poll

Do you think your smartphone is making you a workaholic?