Your Facebook inbox might seem like a private place compared to your news feed and wall, but as with most things on the internet, nothing is ever truly secluded.

Security researcher Inti De Ceukelaire this week penned a Medium blog detailing how he was able to see private links shared between users using the Facebook’s crawler tool. The crawler is used to obtain details about a URL to display them the way you normally see links on Facebook: with a title, description, and thumbnail image.

Though De Ceukelaire’s testings, he was able to obtain an object number Facebook assigns a link every time it’s shared, and figure out the exact URL it represents. This includes links to anything from cat videos and news stories to photos, private Google Docs, and beta environments. It does not, however, show you who sent the link.

De Ceukelaire's scrape of a URL object number, and revealing the source link
Credit: Inti De Ceukelaire
De Ceukelaire’s scrape of a URL object number, and revealing the source link

When he contacted Facebook about the issue, the company responded that this is how the crawler works, and the process is intended.

De Ceukelaire is registered as a developer and if he were to exploit the tool, Facebook would easily be able to catch and stop him. Still, it’s an interesting insight at exactly how Facebook treats URLs when they’re being shared on Facebook. On one hand, it often stops links that are spam and prevents questionable domains from spreading around – but knowing it could readily track what we send is also something to think twice about.

If you don’t want links to your personal photos or projects potentially being looked at by curious developers, De Ceukelaire’s research is just another cautionary tale of a simple mantra: don’t share ultra-private things on social networks.

LEAVE A REPLY