Tuesday, July 5, 2016

Facebook Messenger Flaw Allows Strangers Access to Your Private Message Links — No Fix Planned

Image Source.
Source - The Free Thought Project

by Jay Syrmopoulos

After the recent discovery of a security vulnerability that allowed hackers to alter messages and links sent through Facebook Messenger, by researchers at Checkpoint, the social media giant immediately patched the flaw… but a recent expose, appearing on Medium, revealed that links sent privately through the Messenger system can be read by anyone.

Related Facebook Accused Of Listening To Everything You Say — Here’s How To Stop It

After Inti De Ceukelaire, a reporter/researcher from Medium, contacted Facebook to highlight the security issue, the company replied by saying that this was “intentional behavior” and suggested there would be no attempts to address the vulnerability.

It was discovered by researchers that the official developer’s application Facebook Crawler could be exploited to see what links had been sent through the private messaging application. The Facebook Crawler works by assigning website links and attachments an identification number, and then stores this information.

Once a link is shared and assigned a number, information about the link is then accessible to anyone simply by searching for the identification number. All objects stored on Facebook, whether it’s a picture, a status, or a link, are given a unique, non-chronological identification numbers.

De Ceukelaire discovered that with the proper identification number, it was possible to access information about links privately shared through Facebook Messenger.

According to the report by Medium:
While you may only share links to funny cat videos with your friends, you should still be worried about this exploit. Sometimes, sensitive information (personal data, secret keys, …) are included in links without you even noticing…

In this small set of extracted URL’s, I’ve already found some interesting info:
• Names: Heather, Jenny, Paula, Yollanda, Bernardo, …
• Location or language.
• Attachments or pictures from the FB CDN: Direct link that sometimes allows access bypassing privacy restrictions.
• Application or game data: Some parameters are friend_level, friend_chips, user_name, group, steal_amount, …
• Secret links or hidden keys: Such as the editable Google Drive links or links to hidden pages, websites, and beta environments.
…and these aren’t mutually exclusive; some URLs include multiple parameter types listed above in one single link, thereby allowing a total stranger to gain personal information about you. Hello NSA?

While this technique is generally inefficient, as it can’t be used to identify specific links shared by individual users – and would require mass inputting of identification codes to find information – this flaw could easily be utilized by state actors, operating in a methodical manner, to target individual users.

The fact that the Facebook allows this type of security flaw to remain unpatched reveals a clear lack of investment in their users’ informational security — a continuing and ongoing problem with the social media platform.

Related Partnering for Censorship | Facebook, Twitter, and YouTube Sign Pledge to Suppress Speech and Promote ‘Counter Narratives’
Stillness in the Storm Editor's note: Did you find a spelling error or grammar mistake? Do you think this article needs a correction or update? Or do you just have some feedback? Send us an email at sitsshow@gmail.comThank you for reading.



Sign-up for RSS Updates:  Subscribe in a reader

[Subscribe to Stillness in the Storm Blog by Email]
View and Share our Images
Curious about Stillness in the Storm? 
See our About this blog - Contact Us page.

If it was not for the gallant support of readers, we could not devote so much energy into continuing this blog. We greatly appreciate any support you provide!

We hope you benefit from this not-for-profit site 

It takes hours of work every day to maintain, write, edit, research, illustrate and publish this blog. We have been greatly empowered by our search for the truth, and the work of other researchers. We hope our efforts 
to give back, with this website, helps others in gaining 
knowledge, liberation and empowerment.

"There are only two mistakes one can make along the road to truth; 
not going all the way, and not starting." - Buddha

If you find our work of value, consider making a Contribution.
This website is supported by readers like you. 

[Click on Image below to Contribute]

Support Stillness in the Storm