After the recent discovery of a security vulnerability that allowed hackers to alter messages and links sent through Facebook Messenger, by researchers at Checkpoint, the social media giant immediately patched the flaw… but a recent expose, appearing on Medium, revealed that links sent privately through the Messenger system can be read by anyone.
After Inti De Ceukelaire, a reporter/researcher from Medium, contacted Facebook to highlight the security issue, the company replied by saying that this was “intentional behavior” and suggested there would be no attempts to address the vulnerability.
It was discovered by researchers that the official developer’s application Facebook Crawler could be exploited to see what links had been sent through the private messaging application. The Facebook Crawler works by assigning website links and attachments an identification number, and then stores this information.
Once a link is shared and assigned a number, information about the link is then accessible to anyone simply by searching for the identification number. All objects stored on Facebook, whether it’s a picture, a status, or a link, are given a unique, non-chronological identification number.
De Ceukelaire discovered that with the proper identification number, it was possible to access information about links privately shared through Facebook Messenger.
According to the report by Medium:
While you may only share links to funny cat videos with your friends, you should still be worried about this exploit. Sometimes, sensitive information (personal data, secret keys, …) are included in links without you even noticing…
In this small set of extracted URL’s, I’ve already found some interesting info:
• Names: Heather, Jenny, Paula, Yollanda, Bernardo, …
• Location or language.
• Attachments or pictures from the FB CDN: Direct link that sometimes allows access bypassing privacy restrictions.
• Application or game data: Some parameters are friend_level, friend_chips, user_name, group, steal_amount, …
• Secret links or hidden keys: Such as the editable Google Drive links or links to hidden pages, websites, and beta environments.
…and these aren’t mutually exclusive; some URLs include multiple parameter types listed above in one single link, thereby allowing a total stranger to gain personal information about you. Hello NSA?
While this technique is generally inefficient, as it can’t be used to identify specific links shared by individual users – and would require mass inputting of identification codes to find information – this flaw could easily be utilized by state actors, operating in a methodical manner, to target individual users.
The fact that the Facebook allows this type of security flaw to remain unpatched reveals a clear lack of investment in their users’ informational security — a continuing and ongoing problem with the social media platform.