Click to Skip Ad
Closing in...

You should care about this Facebook Messenger security flaw no matter what Facebook says

Published Jun 30th, 2016 6:03PM EDT

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

Yes, Facebook says that anyone can see any of the three million links that are shared every hour in private conversations. That’s a feature, not a bug. But before you get too freaked out about this type of Messenger “feature,” you should know that your privacy isn’t exactly breached, and a hacker would have a seriously hard time figuring out who shared which link with whom.

DON’T MISS: 5 ways the iPhone is still better than Android after all these years

Belgium-based security researcher Inti De Ceukelaire revealed in a post on Medium earlier this month that links shared in Messenger chats are found by Facebook’s crawler tool, which gives them a numerical identifier so that they can be displayed over and over after being shared once. It turns out that developers can request any object in Facebook by its number, including these shared links.

The researcher was able to extract 70 links in 10 minutes, without being able to obtain information about the chats from which they originated.

Facebook, meanwhile, told The Daily Dot that De Ceukelaire indeed contacted the social network about the flaw, but said that it’s not a flaw at all. It’s how Facebook works, and it can’t be used by hackers for malicious purposes.

Facebook is “confident that the risk to URLs people share in messages is very low.” The company has various protections in place to prevent abuse, including rate limiting on requests and throttling that “can detect suspicious activity and which we have recently strengthened further.”

The company said that the technique used “could only return random URLs and would not tie the sharing of a link to any particular person on Facebook. We have not seen abuse of this matter, and we are constantly working to make the security of our systems stronger.”

“As always, we are focused on keeping your message content safe,” Facebook added.

From the looks of it, people can’t spy on other anyone’s Messenger chats as a result of these publicly available links. That means you can still send links in Messenger without worrying who reads them, other than Facebook.

But you should still be wary of this flaw.

If you’re looking to share personal data hosted on some site or a personal server, then absolutely avoid sharing links on Messenger because these links can indeed be found. Send private links using Signal instead. Or WhatsApp. Or iMessage. All these chat apps feature end-to-end encryption, with the first two working across platforms.

Chris Smith Senior Writer

Chris Smith has been covering consumer electronics ever since the iPhone revolutionized the industry in 2008. When he’s not writing about the most recent tech news for BGR, he brings his entertainment expertise to Marvel’s Cinematic Universe and other blockbuster franchises.

Outside of work, you’ll catch him streaming almost every new movie and TV show release as soon as it's available.