So yesterday we figured out that facebooks Facebot crawler will crawl _every_ url that was recorded by their tracking pixel.
I find this highly concerning since:
1. they are crawling potentially sensitive information granted by links with tokens
2. they are triggering potentially harmful and/or confusing actions in your website by repeating links
3. they are repeating requests in a broken way by not encoding url-parameters correctly, for instance url-encoded %2B ends up just as a "+" thus becoming a whitespace (same goes for slashes etc.)
4. I could not find a warning or note on their tracking-pixel documentation that pages tracked would be crawled later
Don't put Facebook tracking on sensitive pages. Actually as a service to your users don't put it anywhere where it doesn't add value.
> 2. they are triggering potentially harmful and/or confusing actions in your website by repeating links
They only perform idempotent[0]* requests which should not have any negative effect if performed multiple times
0: http://restcookbook.com/HTTP%20Methods/idempotency/
* They probably only actually perform GET in reality