A lot of people worldwide spend more time on Facebook than communicating in person. Naturally, the biggest social network became a place to share information with your friends and relatives. It’s all nice and save while the information is shared on Facebook and Facebook only, not leaving the platform. However, millions of links to other websites are posted on Facebook every day and with this volume we are dealing with new kind of threats.
It’s almost always save to open a link which was sent to you privately as a message by someone you know, but when you notice links to other websites while browsing your newsfeed, it’s a whole new story. Your news feed is not only about you and your friends – you also receive information from various groups you are involved in, sponsored posts and all sorts of other sources. That means you are seeing posts that were published by someone you do not know or even by user with fake identity and bad intentions.
How do you tell if a link shared on Facebook is reliable? Basically, there are only few indicators displayed on Facebook that can tell you whether you want to visit that website or not – you can see the title, description, url address and thumbnail image. Is that enough? As it turns out it’s not.
In July 2017 Facebook decided to ban the feature of editing title and description of the post and thumbnail and url of the shared link after it is shared publicly. That was done in order to stop fake news and clickbait across the platform.
Cyber criminals found a way to avoid those restrictions and even worse – to trick people into clicking on links that should lead them to well-known websites, such as YouTube or Reddit and instead of that redirect them into unreliable websites with incorrect information or even the ones spreading malware and other computer viruses.
As published on blog post by Barak Tawily, cyber security researcher, simple flaw in the method used by Facebook to fetch link previews could be simply exploited by cyber criminals to drive audience to unreliable websites.
There are 3 main attributes scanned by Facebook before deciding if the content is appropriate to the social network – it’s ‘og:url’, ‘og:image’ and ‘og:title’. Those 3 attributes are also used to make a thumbnail and fetch URL.
It might be difficult to believe, but company as big and powerful as Facebook made a silly mistake – they only check ‘og:url’ value in the meta tag and don’t check if it matches with an actual url of the website. This flaw allows anyone to make custom url of various websites by simply editing meta tags on their websites before publishing links on Facebook. I.e. the link on Facebook can be displayed as “youtube.com” or “instagram.com”, but in reality the website you are heading to has nothing to do with those well-known pages – they simply edited meta tags and tricked you.
Barak Tawily reported his discovery to Facebook but the corporation responded that it is not a security issue – social network employs a technology called ‘Linkshim’ which feature a database of blacklisted websites that can’t be posted on Facebook, as well as knew and unknown websites that look suspicious. Unfortunately, this system can be bypassed as well, thus it won’t protect users from misleading links.
What’s the best way to protect yourself, when Facebook can’t provide you with security? To check the source. Before opening any links on Facebook, you should take a look at the person or company who posted it and decide if you can trust them.
By the way, take a look at the video created by Tawily where he demonstrates this security flaw: