When you use a messaging service like Facebook Messenger, you have a reasonable expectation that what you say is private and secure. But due to a quirk in how Facebook handles certain pieces of information, just about anyone who knows how to use Facebook’s developer API can view links that others have sent over Facebook Messenger.
In a post published to Medium, security researcher Inti De Ceukelaire explains how this works. Without getting too technical, every link you share—as well as just about anything else that’s ever been shared to Facebook—has an identification number of sorts assigned to it. As De Ceukelaire notes, “there’s absolutely nothing wrong with this. At least when this data is kept secret.”
De Ceukelaire tested to see if he could search for items by these identification numbers using the Facebook API developer tools. And while he got “access denied” errors in most cases, he discovered that he could access links shared on Facebook this way.
With help from a friend, De Ceukelaire was able to verify what he found—and as it turns out, links don’t necessarily need to be made public to the wider world for someone to access them using this method. The pair also discovered that they were able to access links shared via Facebook Messenger.
Why this matters: It’s important to note that you can only find links at random using this method—you can’t, say, view links shared only by one of your friends. So while odds are relatively slim that any particular link you share will be harvested this way—Facebook has over one billion active daily users, according to the company—the fact that any link you share on Facebook could be found at random is a little troubling.
Facebook’s going to fix this, right?
This is the second time in the past week that security researchers have highlighted security problems involving Facebook Messenger. Researchers with security software firm CheckPoint recently identified a bug that allowed attackers to actually modify old Facebook chat logs. Facebook fixed that flaw, but don’t wait for Facebook to fix De Ceukelaire’s issue any time soon.
According to a response De Ceukelaire received from Facebook, the issue he discovered is “publicly-documented [sic] and intentional behavior.” Although De Ceukelaire says he respects Facebook’s decision, he also feels that “it is our right to know who can see the data we share.”
While app and web developers may find this sort of feature useful, it also means that attackers could write a script and harvest random links in bulk and look for personal information to exploit. As De Ceukelaire notes, “links sometimes include personal stuff without you even knowing.”
In the meantime, it’s probably a good idea to avoid sharing links via Facebook Messenger unless you want some random person snooping in your URLs.