
Links sent privately through Facebook Messenger can be read by anyone - softvar
https://medium.com/@intideceukelaire/why-you-shouldnt-share-links-on-facebook-f317ba4aa58b#.mwoeohl1b
======
IkmoIkmo
Facebook's response seems inadequate. Because let's be frank here:

1) There are obvious security concerns thinkable. For example, plenty of
websites (google docs, dropbox etc) offer an 'anyone with this link can view
document' option. Which is generally safe, given these randomly generated
links usually contain > 100 bits of entropy. Access to the link is access to
the document, and so the link is a PW.

2) This link can be publicly accessed, despite having only been published in
an ostensibly private FB conversation. Facebook has now admitted that the
contents of a private conversation can partially be public. That's ridiculous.
Not just because it's not safe, there are more things that aren't safe (e.g.
sending risque images on Snapchat). But mainly because it's against
expectations. Snapchat told me on my first day of usage, in the app, that my
friends can save my snaps and that I should keep this in mind, and while many
users of Snapchat use it recklessly, I would guess that most are aware of the
risks. Users carry much of the burden of responsibility now. But there's no
such awareness of the risks of partial contents of a private facebook
conversation not being publicly accessible, nobody is aware of this.

3) The response seems wholly unnecessary. It seems to me relatively trivial to
require a security token to see this data, much like the rest of the chat
itself.

Now I'm not particularly alarmed by the issue itself, it's one of those
'safety in numbers' kinds of things. A hacker would likely be more effective
setting up a phishing website and buying an email database, than to collect
links and then review them for sensitive data. But the response of FB feels
inadequate and unnecessary to me.

~~~
tuna-piano
Couldn't an attacker simply run a script (from multiple source IPs) to get a
large number of FB Messenger URLs - then parse the results for specific things
- dropbox links, google docs links and other services that are secured through
a long URL? I would guess there are examples of services that would be high
value to attackers and are secured through the URL... although I can't think
of any in particular.

------
edwhitesell
This is one of the reasons many corporations have rules about only using
internal messaging applications. Or, block external messaging apps. In
environments I've managed, I've always enforced the rule: Anything
confidential sent via a messaging app is no longer confidential.

Skype, Facebook & G+/GTalk have all "followed" URLs sent via their
applications for at least a few years (that I have noticed). Anti-virus
applications installed on computers have done it with URLs in email
applications and such too.

One of the large A/V vendors (Trend or McAfee, I don't recall which) had a
browser plugin that would follow all of your browsing activity. I used to be
amused tailing logfiles to see a hit from a browser, then one of their
corporate IPs with a "crawler"-like UA come along a few seconds later.

 __EDIT last line for clarity.

~~~
mercer
While that in itself is not necessarily desire behavior, the fact that this
link is accessible to parties not part of the chat is by far the bigger
problem.

~~~
edwhitesell
Definitely. But, it wouldn't be a problem if people understood the
implications of using external services in the first place (or were unable to
do so via technical means).

------
donatj
After hearing about people arrested for the content of their private chats on
Facebook I basically act under the assumption that everything I do on Facebook
is public.

~~~
kevinjcliao
Source? I'd really like to know more about this.

~~~
donatj
[https://www.cnet.com/news/facebook-scans-chats-and-posts-
for...](https://www.cnet.com/news/facebook-scans-chats-and-posts-for-criminal-
activity/)

~~~
chillacy
While catching child predators and murderers is a good thing, I can't help but
consider that if facebook operated in china, they'd be catching political
dissidents, or if facebook operated in uganda, they'd be catching homosexual
users.

~~~
donatj
Exactly. Ideally the communication should be encrypted in a way such that
Facebook couldn't decrypt it if they wanted to.

------
mpeg
FB also considers "won't fix" a bug I found a while ago that allows anyone to
send anyone else on FB a spoofed email that comes from @facebook.com, without
knowing their email address ¯\\_(ツ)_/¯.

~~~
tomglynch
That's pretty severe surely. Any more information?

~~~
mpeg
Not sure I'm comfortable with full disclosure as I still consider it
potentially harmful (phishing mostly, or sending unsolicited emails without
knowing the fb login email of a user)

Maybe I should try to report it again on Hackerone, as this was reported
through the old whitehat program and the guy who answered never fully
addressed the issue or replied to my follow up

~~~
s_q_b
Sunlight it, if they won't change it. Bad publicity and bad behavior from
other actors will only increase the likelihood that the bug gets fixed.

If a company won't listen you've done your moral duty. The last step of
responsible disclosure is publication. As a bonus, you'll probably even
frontpage HN.

~~~
eridal
Agree.

Plus he has given lot of pointers so it's a matter of time someone find the
comment and start trial-and-error to discover how to exploit the bug.

------
thomasfoster96
This probably isn't a popular opinion, but I fail to see how this is a problem
with Facebook.

The Google Docs URL is public whether or not you send it through Facebook.
It's only secret until someone guesses the link (Edit: maybe not
mathematically in the case of Google Docs, but many other services use
'unlisted' URLs without having a long token to guess) - something they can do
without the URL even going through Messenger.

If you're sharing passwords or confidential information via a public URL with
no authentication and hoping nobody finds the address, you're asking for
trouble. I don't blame Facebook for not doing anything about it.

~~~
KingMob
> It's only secret until someone guesses the link - something they can do
> without the URL even going through Messenger.

Not really - a sufficiently large random number is effectively unguessable in
your lifetime. This is no different than sharing a password with your partner
in a private Facebook chat and discovering that outsiders can stumble on it.

~~~
moron4hire
Your one particular file is effectively unguessable, but that does not mean
that guessing at files is a fruitless endeavor.

~~~
GauntletWizard
No, actually. It really doesn't take that many bits of entropy for you to be
unable to find _any_ documents in a haystack of entries. My file ID is 45
characters of base-64 encoded string. This is a total entropy of 225 bytes. If
there are a quintillion files in google drive (a hundred million files per
person who has ever lived), you were loading a million possible files per
second, you'd still take several times the expected time to the heat death of
the universe to randomly stumble upon one.

------
samanthashoaf
[https://m.facebook.com/composer/mbasic/?csid=2d645076-9e83-4...](https://m.facebook.com/composer/mbasic/?csid=2d645076-9e83-4e08-8b4b-d34978d631d5&cwevent=add_privacy&av=100001516340790&view_overview&privacyx=286958161406148&_rdr)
I was sent this link but upon opening it I'm redirected to a page that says I
am not permitted to view such. Can anyone explain to me why I was sent this
and what it could potentially mean?

------
tuna-piano
It's infuriating to me as a user that certain aspects of a private 1-1
conversation are made public for a "feature" as trivial as a link preview,
especially when it seems the fix would be as simple as having a larger, random
identifier.

Does anyone know what will happen when Facebook Messenger is encrypted end to
end?

------
elif
This is only a lapse in security if you're relying upon URL obfuscation for
security to begin with. It is only actionable if you can MITM or otherwise
easedrop and find the graph ID.

Title rating: unreasonably alarmist

~~~
zeveb
> This is only a lapse in security if you're relying upon URL obfuscation for
> security to begin with.

Which is perfectly reasonable to do: a URL containing a cryptographically-
secure identifier is itself a cryptographically-secure identifier. An example
would be
[http://foo.invalid/ed2e898ff0b132202cb0bd0dea0d389a7b6439160...](http://foo.invalid/ed2e898ff0b132202cb0bd0dea0d389a7b6439160b9aca5f3edcd99ad34bc2a9).

Another example would be OAuth2 bearer tokens, which may be encoded in the URL
as a parameter.

> It is only actionable if you can MITM or otherwise easedrop and find the
> graph ID.

It looks like the graph IDs are enumerable, rather than being high-entropy, so
it looks like you can trawl through the graph looking for interesting objects.

------
zeveb
Were they using 256-bit random identifiers then this wouldn't be a problem. In
that case, the IDs would serve as capabilities to the resources.

~~~
tuna-piano
Anyone know why they would choose to use incremented integers and not 256-bit
identifiers? This seems like a gaping hole to me that makes me uncomfortable
sharing links in the tool.

I would much, much, much rather not have link previews than be open to this
sort of simple exploit.

Seems like someone could just write a script to pull down a few thousand
links, and then search for links from specific sites, private Google Docs
documents, etc.

~~~
niftich
In an earlier thread about this I wrote [1] that the contributing factors FB
does aren't egregious by themselves. Specifically, in their view all of their
link previews are public, as they were originally intended to catalogue the
web.

Having predictable, incrementing integers as IDs for public resources isn't a
problem. The problem is most people perceive Messenger as a private chat, and
don't expect their privately-shared links to be catalogued in a publically
accessible, trivially crawlable object store.

[1]
[https://news.ycombinator.com/item?id=11873258](https://news.ycombinator.com/item?id=11873258)

------
dahart
Does Facebook's response not having capitalization also worry anyone else more
than the security hole? ;)

------
irl_zebra
I've been using the destructible.io for temp links. It was posted here not too
long ago, useful and if anyone else tries to access it, it deletes itself
[https://destructible.io](https://destructible.io)

------
aab0
This reminds me of the similar thing in Microsoft Office recently: it
automatically shortened all links in documents, even private ones, with a URL
shortener service. URL shortener services are, by design, easy to brute force
enumerate. Cue popcorn...

~~~
epaulson
The relevant blog post:

[https://freedom-to-tinker.com/blog/vitaly/gone-in-six-
charac...](https://freedom-to-tinker.com/blog/vitaly/gone-in-six-characters-
short-urls-considered-harmful-for-cloud-services/)

------
dlitz
Related to this, the W3C maintains a best-practices document about private
("capability") URLs:

[https://www.w3.org/TR/capability-urls/](https://www.w3.org/TR/capability-
urls/)

------
mauricioc
What about WhatsApp? It fetches a page's title as soon as you type in a URL. I
assume the fetching happens on the client, but does the URL (or the title
itself) get uploaded somewhere?

~~~
atestu
That would be more worrisome given that Whatsapp is supposed to be encrypted
end-to-end.

------
niftich
Also see previous for more discussion:
[https://news.ycombinator.com/item?id=11868077](https://news.ycombinator.com/item?id=11868077)

------
rhaps0dy
The first thing I did was share this particular link on Facebook :)

Precisely because of what the article says.

------
owly
Please. Delete. Your. Accounts. What are you waiting for? Challenge: Start a
decentralized FB clone. Evangelize.

------
excalibur
Is it bad that the thing I most want to do with this story is share a link to
it on Facebook?

------
stefek99
Why asking friend to share a link? Isn't it easier to log in using secondary
account...

------
bemmu
How would you know the Graph ID number if someone doesn't explicitly tell it
to you?

~~~
Bartweiss
> I wrote a quick script that would take any identification number and
> increment it gradually to discover other links. It worked

Apparently the numbers, while non-sequential, are not sufficiently large and
random to be 'unguessable'. Take a known point and look around it, see if you
get something good.

