Facebook Developers Can See Private Links Shared Through Messenger

Earlier this week, security researchers at Checkpoint reported about vulnerabilities in Facebook Chat and Messenger that, if exploited, could allow anyone to essentially take control of any message sent by Chat or Messenger. Now a developer named Inti De Ceukelaire is pointing out another flaw in how Facebook deals with URLs. The Verge reports: Through the right API call, De Ceukelaire was able to summon links shared by specific users in private messages. The links were collected by the Facebook crawler, where De Ceukelaire discovered they were easily accessible to anyone running a Facebook app. Those links could be anything from a popular news story to directions to an abortion clinic. As long as they're shared in private messages, they're logged in Facebook's database, and accessible to API calls. It would be hard to exploit that bug at scale for a few different reasons. De Ceukelaire was only able to make the API call because he's registered as a Facebook developer, and if he started pulling those links en masse, Facebook would quickly catch on and pull his credentials. Still, the bug points to a number of lingering problems with the conflicting way web services treat URLs, and how those conflicts can put private information into public view.

But can they see me naked?

I can only hope they can!

Re:But can they see me naked?

only if you put a sharpie in your pooper

Uhhh, yeah

This just in... sending unencrypted messages through a third party service means random joes at that company have a pretty good chance of reading your "private" conversations.

You can either encrypt everything, use other providers that you haven't learned how evil they are yet, or just deal with it. Privacy died 150 years ago at least.

Re:Uhhh, yeah

[Wootery]

Privacy died 150 years ago at least.

Not even close.

Mass-scale spying has been simply impossible until very recently.

This is absolutely true

The place I work at, we mine private FB chats. I've since told some of my friends. Definitely do not share any URLs you want kept private via FB messages.

Re:This is absolutely true

[Qzukk]

Definitely do not share any URLs you want kept private via FB messages.

Don't share them on anything. It's not just facebook. You go to any forum and send a "private" message and only you, the recipient, and everyone with read access to the database can see it.

Re:This is absolutely true

isn't this thru for all ISP as well?

Re:This is absolutely true

Next up, Google can read your GMail, Microsoft can read your Outlook, etc..

If you want it kept private, encrypt it!

Re:This is absolutely true

[FatdogHaiku]

isn't this thru for all ISP as well?

That's why you use a VPN, then only you and... crap!

Re:This is absolutely true

The place I work at, we mine private FB chats. I've since told some of my friends. Definitely do not share any URLs you want kept private via FB messages.

That's what folks don't get. And they publish so much personal information about themselves and think they're safe if they make their page private or whatever it is they do - I don't use fb and never will.

And what surprises me that no one has thought of mining all that data and stealing identities. It wouldn't be hard to get all the information needed. Even if you lie.

My wife put a fake BD on her profile and a bunch of her friends all wished her happy birthday on her real birthday.

Need your mother's maiden name? Not hard at all. For one thing, I'd find their mom and see if her brother is there. Look at her brother's last name and shazzam!

Recent addresses? Not that hard either.

Mix in some googling and It would be nothing to find the information to answer credit bureau or bank questions to "prove" that one is the person they stole the identity from. Next thing you know, there's a new car loan and second mortgage on your house and your tax refund going to someone across the country.

Re:This is absolutely true

[HelpTheNewOverlord]

From what I understood, the problem is not that Facebook can (and obviously will) see the link attached to you profile. The problem is that anyone using Facebook API will also be able to do the same...

What's wrong with you neckbeards?

If you're over the age of 8 and you still like Star Wars you're probably a dick smoking faggot.

Re:What's wrong with you neckbeards?

I don't want to begin to imagine where you get these projections, but hopefully the authorities keep an eye on you around 9+ year old children who like Star Wars.

Obvious

[epyT-R]

This should be patently obvious to anyone posting here.

Remember, only apps can app apps!

The app appers at Facebook are using APPS to app apps that app appers are apping, so this is all perfectly appy! It's only when LUDDITES use LUDDITE email that it's bad and wrong.

Apps!

Stop using Farcebook!

[Aethedor]

How many times do you need to be screwed before you get it?

No shit

[aepervius]

Unless there is a user encryption, pretty much anything you enter in an application anywhere is at the mercy of what the developer wants. Only the requirements force the developper into making system where even themselves cannot peak (because it is good practice , like salted encrypted password, or because of regulation or....). Any messenger which do not advertise end to end encryption with key not guessable/no backdoor, can read everything you do including links.

Not THE developer. ANY "developer".

Any developer. I.e. anyone (literally, last I cared to check) can register as a "Developer" via the website (for free), create an app and use it to abuse other people's privacy.

Keep public URLs private!

[Threni]

Makes sense!

If you do want to keep links private, there are services which let you share URLS by sticking them behind another url which only works once, and/or needs a password etc.

Why are people complaining that something which is sent over an unencrypted channel is visible to people other than the intended recipient? Even facebook provides a solution for that; whatsapp.

koala

[For+a+Free+Internet]

pristifurtuologopongoftyapp your evil odor by forces loyal to Saddam Hussein in K-Mart!!!!!!!

FB Tracks EVERYTHING they can

Even if you do NOT submit a message, FB knows what you typed, even if you HOVER over a link, they know what you hovered over.

Don't believe me?

Perform these actions and watch your COOKIE's go NUTS.

I also recommend you decompile your Android FB app and see what the generated code is. I already did.

It should be like this

They can probably see the links shared in private but they should have acces so they can change things.