
Why you shouldn't share links on Facebook - Artemis2
https://medium.com/@intideceukelaire/why-you-shouldnt-share-links-on-facebook-f317ba4aa58b
======
niftich
Digging through developers.facebook.com, it appears that their link scraper
creates Objects in their Social Graph. Because these resources are accessible
by URL, they are considered self-hosted objects, and they're always public
[1]. Their Link Sharing FAQ mentions that Messenger is one of the ways link
previews are created, further confirming this behavior [2].

Really the problem is that several situations coincide which make the result
surprising:

\- It's not so bad that posting URLs to Facebook generates a link preview and
saves that as a public resource in their Object Graph.

\- It's not so bad that you can find the Object's object-instance-id by the
URL.

\- It's not so bad that Facebook correlates a bunch of information about that
Object's relationship with other nodes in their graph.

\- For data they believe is all-public, it's not so bad that object-instance-
ids are not cryptographically secure and are trivially crawlable.

But when taken together, it -is- surprising that URLs shared through Messenger
(a setting that most users would assume to be "private") can be trivially
crawlable.

[1]
[https://developers.facebook.com/docs/sharing/opengraph/objec...](https://developers.facebook.com/docs/sharing/opengraph/object-
api) [2]
[https://developers.facebook.com/docs/sharing/webmasters/faq](https://developers.facebook.com/docs/sharing/webmasters/faq)

------
Kaotique
There are lots of private endpoints that are secured by a token that you were
able to obtain by being logged in. For instance Github's raw view of a file.
Sharing this link in a private Messenger chat should not be public for the
world to see.

One would naturally assume private conversations are 100% private and not
scrapable by some third party.

------
starquake
I agree that Facebook should try to prevent private information from leaking
out. Even if they are indirectly involved.

But I also think sites should never use personally identifiable information in
the URL. There are much more sites that cause issues when sharing these kinds
of URLs. To name a few: bit.ly, twitter, Comments in Hacker News.

~~~
ikeboy
How are HN comments an issue? All comments are public, so what's the concern?

Keeping information in URLs is fine as long as it has enough entropy to be
unbruteforcable. Bit.ly and t.co don't, and so aren't secure.

~~~
starquake
That's exactly my point. Because some users don't understand this technical
issue, you shouldn't use personally identifiable information in URLs. They
might post it to services with enough entropy. But they also might post it to
public parts of the internet.

I use HN comments as an example of an unsafe way to share URLs with personally
identifiable information.

------
dingo_bat
Although the crux of the issue remains, the example of the document is bad. If
anyone is able to open the document using just the link and no authentication,
the document is effectively public.

------
thefastlane
this sort of thing also hints at why FB abandoned xmpp. FB wants to do what
they please with your conversational data, which obviously runs counter to the
culture of encryption that xmpp is embracing.

------
rejectedstone
Using dadada as the Facebook password in the example was clever.

