Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Developers Can See Private Links Shared Through Messenger (theverge.com)

Posted by msmash on from the security-woes dept.

Earlier this week, security researchers at Checkpoint reported about vulnerabilities in Facebook Chat and Messenger that, if exploited, could allow anyone to essentially take control of any message sent by Chat or Messenger. Now a developer named Inti De Ceukelaire is pointing out another flaw in how Facebook deals with URLs. The Verge reports: Through the right API call, De Ceukelaire was able to summon links shared by specific users in private messages. The links were collected by the Facebook crawler, where De Ceukelaire discovered they were easily accessible to anyone running a Facebook app. Those links could be anything from a popular news story to directions to an abortion clinic. As long as they're shared in private messages, they're logged in Facebook's database, and accessible to API calls. It would be hard to exploit that bug at scale for a few different reasons. De Ceukelaire was only able to make the API call because he's registered as a Facebook developer, and if he started pulling those links en masse, Facebook would quickly catch on and pull his credentials. Still, the bug points to a number of lingering problems with the conflicting way web services treat URLs, and how those conflicts can put private information into public view.

22 comments

  1. But can they see me naked? by Anonymous Coward · · Score: 2, Funny

    I can only hope they can!

    1. Re:But can they see me naked? by Anonymous Coward · · Score: 0

      only if you put a sharpie in your pooper

  2. Uhhh, yeah by Anonymous Coward · · Score: 0

    This just in... sending unencrypted messages through a third party service means random joes at that company have a pretty good chance of reading your "private" conversations.

    You can either encrypt everything, use other providers that you haven't learned how evil they are yet, or just deal with it. Privacy died 150 years ago at least.

    1. Re:Uhhh, yeah by Wootery · · Score: 1

      Privacy died 150 years ago at least.

      Not even close.

      Mass-scale spying has been simply impossible until very recently.

  3. This is absolutely true by Anonymous Coward · · Score: 0

    The place I work at, we mine private FB chats. I've since told some of my friends. Definitely do not share any URLs you want kept private via FB messages.

    1. Re:This is absolutely true by Qzukk · · Score: 1

      Definitely do not share any URLs you want kept private via FB messages.

      Don't share them on anything. It's not just facebook. You go to any forum and send a "private" message and only you, the recipient, and everyone with read access to the database can see it.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    2. Re:This is absolutely true by Anonymous Coward · · Score: 0

      isn't this thru for all ISP as well?

    3. Re:This is absolutely true by Anonymous Coward · · Score: 0

      Next up, Google can read your GMail, Microsoft can read your Outlook, etc..

      If you want it kept private, encrypt it!

    4. Re:This is absolutely true by FatdogHaiku · · Score: 1

      isn't this thru for all ISP as well?

      That's why you use a VPN, then only you and... crap!

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    5. Re:This is absolutely true by Anonymous Coward · · Score: 0

      The place I work at, we mine private FB chats. I've since told some of my friends. Definitely do not share any URLs you want kept private via FB messages.

      That's what folks don't get. And they publish so much personal information about themselves and think they're safe if they make their page private or whatever it is they do - I don't use fb and never will.

      And what surprises me that no one has thought of mining all that data and stealing identities. It wouldn't be hard to get all the information needed. Even if you lie.

      My wife put a fake BD on her profile and a bunch of her friends all wished her happy birthday on her real birthday.

      Need your mother's maiden name? Not hard at all. For one thing, I'd find their mom and see if her brother is there. Look at her brother's last name and shazzam!

      Recent addresses? Not that hard either.

      Mix in some googling and It would be nothing to find the information to answer credit bureau or bank questions to "prove" that one is the person they stole the identity from. Next thing you know, there's a new car loan and second mortgage on your house and your tax refund going to someone across the country.

    6. Re:This is absolutely true by HelpTheNewOverlord · · Score: 1

      From what I understood, the problem is not that Facebook can (and obviously will) see the link attached to you profile. The problem is that anyone using Facebook API will also be able to do the same...

  4. Re:What's wrong with you neckbeards? by Anonymous Coward · · Score: 0

    I don't want to begin to imagine where you get these projections, but hopefully the authorities keep an eye on you around 9+ year old children who like Star Wars.

  5. Obvious by epyT-R · · Score: 3, Insightful

    This should be patently obvious to anyone posting here.

  6. Stop using Farcebook! by Aethedor · · Score: 1

    How many times do you need to be screwed before you get it?

    --
    It doesn't have to be like this. All we need to do is make sure we keep talking.
  7. No shit by aepervius · · Score: 1

    Unless there is a user encryption, pretty much anything you enter in an application anywhere is at the mercy of what the developer wants. Only the requirements force the developper into making system where even themselves cannot peak (because it is good practice , like salted encrypted password, or because of regulation or....). Any messenger which do not advertise end to end encryption with key not guessable/no backdoor, can read everything you do including links.

    --
    C. Sagan : A demon haunted world:
    http://www.amazon.com/gp/product/0345409469/
    visit randi.org
  8. Not THE developer. ANY "developer". by Anonymous Coward · · Score: 1

    Any developer. I.e. anyone (literally, last I cared to check) can register as a "Developer" via the website (for free), create an app and use it to abuse other people's privacy.

  9. Keep public URLs private! by Threni · · Score: 1

    Makes sense!

    If you do want to keep links private, there are services which let you share URLS by sticking them behind another url which only works once, and/or needs a password etc.

    Why are people complaining that something which is sent over an unencrypted channel is visible to people other than the intended recipient? Even facebook provides a solution for that; whatsapp.

  10. FB Tracks EVERYTHING they can by Anonymous Coward · · Score: 0

    Even if you do NOT submit a message, FB knows what you typed, even if you HOVER over a link, they know what you hovered over.

    Don't believe me?

    Perform these actions and watch your COOKIE's go NUTS.

    I also recommend you decompile your Android FB app and see what the generated code is. I already did.

  11. It should be like this by Anonymous Coward · · Score: 0

    They can probably see the links shared in private but they should have acces so they can change things.