Yes, Facebook says that anyone can see any of the three million links that are shared every hour in private conversations. That’s a feature, not a bug. But before you get too freaked out about this type of Messenger “feature,” you should know that your privacy isn’t exactly breached, and a hacker would have a seriously hard time figuring out who shared which link with whom.
Belgium-based security researcher Inti De Ceukelaire revealed in a post on Medium earlier this month that links shared in Messenger chats are found by Facebook’s crawler tool, which gives them a numerical identifier so that they can be displayed over and over after being shared once. It turns out that developers can request any object in Facebook by its number, including these shared links.
The researcher was able to extract 70 links in 10 minutes, without being able to obtain information about the chats from which they originated.
Facebook, meanwhile, told The Daily Dot that De Ceukelaire indeed contacted the social network about the flaw, but said that it’s not a flaw at all. It’s how Facebook works, and it can’t be used by hackers for malicious purposes.
Facebook is “confident that the risk to URLs people share in messages is very low.” The company has various protections in place to prevent abuse, including rate limiting on requests and throttling that “can detect suspicious activity and which we have recently strengthened further.”
The company said that the technique used “could only return random URLs and would not tie the sharing of a link to any particular person on Facebook. We have not seen abuse of this matter, and we are constantly working to make the security of our systems stronger.”
“As always, we are focused on keeping your message content safe,” Facebook added.
From the looks of it, people can’t spy on other anyone’s Messenger chats as a result of these publicly available links. That means you can still send links in Messenger without worrying who reads them, other than Facebook.
But you should still be wary of this flaw.
If you’re looking to share personal data hosted on some site or a personal server, then absolutely avoid sharing links on Messenger because these links can indeed be found. Send private links using Signal instead. Or WhatsApp. Or iMessage. All these chat apps feature end-to-end encryption, with the first two working across platforms.
More from BGR: This is the iPhone 7 leak we’ve been waiting for
This article was originally published on BGR.com
Source: SANS ISC SecNewsFeed @ June 30, 2016 at 05:24PM