Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Encryption Facebook Privacy Social Networks IT Technology

Facebook Developers Can See Private Links Shared Through Messenger (theverge.com) 22

Earlier this week, security researchers at Checkpoint reported about vulnerabilities in Facebook Chat and Messenger that, if exploited, could allow anyone to essentially take control of any message sent by Chat or Messenger. Now a developer named Inti De Ceukelaire is pointing out another flaw in how Facebook deals with URLs. The Verge reports: Through the right API call, De Ceukelaire was able to summon links shared by specific users in private messages. The links were collected by the Facebook crawler, where De Ceukelaire discovered they were easily accessible to anyone running a Facebook app. Those links could be anything from a popular news story to directions to an abortion clinic. As long as they're shared in private messages, they're logged in Facebook's database, and accessible to API calls. It would be hard to exploit that bug at scale for a few different reasons. De Ceukelaire was only able to make the API call because he's registered as a Facebook developer, and if he started pulling those links en masse, Facebook would quickly catch on and pull his credentials. Still, the bug points to a number of lingering problems with the conflicting way web services treat URLs, and how those conflicts can put private information into public view.
This discussion has been archived. No new comments can be posted.

Facebook Developers Can See Private Links Shared Through Messenger

Comments Filter:
  • by Anonymous Coward

    I can only hope they can!

  • Obvious (Score:4, Insightful)

    by epyT-R ( 613989 ) on Friday June 10, 2016 @03:52PM (#52291269)

    This should be patently obvious to anyone posting here.

  • How many times do you need to be screwed before you get it?
  • Unless there is a user encryption, pretty much anything you enter in an application anywhere is at the mercy of what the developer wants. Only the requirements force the developper into making system where even themselves cannot peak (because it is good practice , like salted encrypted password, or because of regulation or....). Any messenger which do not advertise end to end encryption with key not guessable/no backdoor, can read everything you do including links.
    • by Anonymous Coward

      Any developer. I.e. anyone (literally, last I cared to check) can register as a "Developer" via the website (for free), create an app and use it to abuse other people's privacy.

  • Makes sense!

    If you do want to keep links private, there are services which let you share URLS by sticking them behind another url which only works once, and/or needs a password etc.

    Why are people complaining that something which is sent over an unencrypted channel is visible to people other than the intended recipient? Even facebook provides a solution for that; whatsapp.

I've noticed several design suggestions in your code.

Working...