Facebook Messenger bug allows anyone to access private links sent between users
Once you share a link and its identification number has been assigned to it, anyone can request information about the link using this number through the Facebook API, even when it’s been shared privately.
The vulnerability was discovered by security researcher Inti De Ceukelaire who showed that using Facebook’s crawler they were able to access links shared privately through Facebook Messenger, including links to Google doc files. Even when users were only sending fairly innocent looking links that didn`t contain any immediate personal information, De Ceukelaire pointed out that small pieces of could still be extracted from the shared URLs, including names, locations,and languages.
Fortunately, it’s not possible to target a specific user by doing this and you would have to be fairly unlucky for anyone to stumble across any important information, but De Ceukelaire thinks it would be possible for hackers without a target to extract links from Facebook over a longer period until they found data worth using. It should be noted, however, that Facebook does have protections in place which limit the amount of times requests such as this can be made to prevent any exploitation. Besides this, the sheer number of links that a hacker would have to sift through for even a small amount of private information if Facebook didn`t catch them first means the situation isn`t quite as urgent as De Ceukerlaire`s post suggests.
After reporting the problem to Facebook, De Ceukelaire was told by the company that as it was deemed “intentional behaviour” and as that`s simply how the crawler works there would be no efforts made to fix it. Researchers at online security site Check Point also recently discovered a bug in Facebook Messenger that would have allowed a malicious user to change a conversation thread in the app by modifying or removing any messages, photos, files, and links. After Check Point flagged up the vulnerability to Facebook, it was swiftly fixed.
In response to Facebook’s decision not to fix the bug, De Ceukelaire has opted to share what they’ve discovered, saying “it’s our right to be informed of the design decisions which may impact our privacy.” Though it would be difficult to abuse the flaw and affect users, it`s information worth bearing in mind before you share private links over Facebook.
This news comes after it was recently revealed that Facebook had been testing a tool which would track the locations of its users in order to determine who they might be friends with and another report suggested that the social network has been using mobile phone microphones to gather data on what its users are talking about for advertising purposes.