Facebook Developers Can See Private Links Shared Through Messenger

Earlier this week, security researchers at Checkpoint reported about vulnerabilities in Facebook Chat and Messenger that, if exploited, could allow anyone to essentially take control of any message sent by Chat or Messenger. Now a developer named Inti De Ceukelaire is pointing out another flaw in how Facebook deals with URLs. The Verge reports: Through the right API call, De Ceukelaire was able to summon links shared by specific users in private messages. The links were collected by the Facebook crawler, where De Ceukelaire discovered they were easily accessible to anyone running a Facebook app. Those links could be anything from a popular news story to directions to an abortion clinic. As long as they're shared in private messages, they're logged in Facebook's database, and accessible to API calls. It would be hard to exploit that bug at scale for a few different reasons. De Ceukelaire was only able to make the API call because he's registered as a Facebook developer, and if he started pulling those links en masse, Facebook would quickly catch on and pull his credentials. Still, the bug points to a number of lingering problems with the conflicting way web services treat URLs, and how those conflicts can put private information into public view.

But can they see me naked?

[Anonymous Coward]

I can only hope they can!

Re:

[Wootery]

Privacy died 150 years ago at least.

Not even close.

Mass-scale spying has been simply impossible until very recently.

Re:

[Qzukk]

Definitely do not share any URLs you want kept private via FB messages.

Don't share them on anything. It's not just facebook. You go to any forum and send a "private" message and only you, the recipient, and everyone with read access to the database can see it.

Re:

[HelpTheNewOverlord]

From what I understood, the problem is not that Facebook can (and obviously will) see the link attached to you profile. The problem is that anyone using Facebook API will also be able to do the same...

Re:

[FatdogHaiku]

isn't this thru for all ISP as well?

That's why you use a VPN, then only you and... crap!

Obvious

[epyT-R]

This should be patently obvious to anyone posting here.

Stop using Farcebook!

[Aethedor]

How many times do you need to be screwed before you get it?

No shit

[aepervius]

Unless there is a user encryption, pretty much anything you enter in an application anywhere is at the mercy of what the developer wants. Only the requirements force the developper into making system where even themselves cannot peak (because it is good practice , like salted encrypted password, or because of regulation or....). Any messenger which do not advertise end to end encryption with key not guessable/no backdoor, can read everything you do including links.

Not THE developer. ANY "developer".

[Anonymous Coward]

Any developer. I.e. anyone (literally, last I cared to check) can register as a "Developer" via the website (for free), create an app and use it to abuse other people's privacy.

Keep public URLs private!

[Threni]

Makes sense!

If you do want to keep links private, there are services which let you share URLS by sticking them behind another url which only works once, and/or needs a password etc.

Why are people complaining that something which is sent over an unencrypted channel is visible to people other than the intended recipient? Even facebook provides a solution for that; whatsapp.