Facebook Messenger bug allows anyone to access private links sent between users

A hacker has dicovered that when we share links on Facebook the information is stored and can be accessed

Emma Boyle
Thursday 30 June 2016 15:11 BST

A hacker has recently discovered a vulnerability in Facebook that could enable anyone to see the links you’ve sent privately through Messenger. Although Facebook is now aware of the problem, it has no plans to fix it.

When you share a link with a friend through a Facebook message or a status update and they click on it, Facebook’s crawler obtains details about the URL to display it in the way you're used to seeing it on the platform, with a title, a thumbnail, and a description. Facebook then assigns this information its own unique identification number and stores it. This means that the next time Facebook has to display this link, it simply has to extract the required information from its database. The problem is that like most things on the internet this information isn't completely secure.

Once you share a link and its identification number has been assigned to it, anyone can request information about the link using this number through the Facebook API, even when it’s been shared privately.

The vulnerability was discovered by security researcher Inti De Ceukelaire who showed that using Facebook’s crawler they were able to access links shared privately through Facebook Messenger, including links to Google doc files. Even when users were only sending fairly innocent looking links that didn't contain any immediate personal information, De Ceukelaire pointed out that small pieces of could still be extracted from the shared URLs, including names, locations,and languages.

Fortunately, it’s not possible to target a specific user by doing this and you would have to be fairly unlucky for anyone to stumble across any important information, but De Ceukelaire thinks it would be possible for hackers without a target to extract links from Facebook over a longer period until they found data worth using. It should be noted, however, that Facebook does have protections in place which limit the amount of times requests such as this can be made to prevent any exploitation. Besides this, the sheer number of links that a hacker would have to sift through for even a small amount of private information if Facebook didn't catch them first means the situation isn't quite as urgent as De Ceukerlaire's post suggests.

The next stage for Facebook?

After reporting the problem to Facebook, De Ceukelaire was told by the company that as it was deemed “intentional behaviour” and as that's simply how the crawler works there would be no efforts made to fix it. Researchers at online security site Check Point also recently discovered a bug in Facebook Messenger that would have allowed a malicious user to change a conversation thread in the app by modifying or removing any messages, photos, files, and links. After Check Point flagged up the vulnerability to Facebook, it was swiftly fixed.

In response to Facebook’s decision not to fix the bug, De Ceukelaire has opted to share what they’ve discovered, saying “it’s our right to be informed of the design decisions which may impact our privacy.” Though it would be difficult to abuse the flaw and affect users, it's information worth bearing in mind before you share private links over Facebook.

This news comes after it was recently revealed that Facebook had been testing a tool which would track the locations of its users in order to determine who they might be friends with and another report suggested that the social network has been using mobile phone microphones to gather data on what its users are talking about for advertising purposes.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in