Facebook's response seems inadequate. Because let's be frank here:<p>1) There are obvious security concerns thinkable. For example, plenty of websites (google docs, dropbox etc) offer an 'anyone with this link can view document' option. Which is generally safe, given these randomly generated links usually contain > 100 bits of entropy. Access to the link is access to the document, and so the link is a PW.<p>2) This link can be publicly accessed, despite having only been published in an ostensibly private FB conversation. Facebook has now admitted that the contents of a private conversation can partially be public. That's ridiculous. Not just because it's not safe, there are more things that aren't safe (e.g. sending risque images on Snapchat). But mainly because it's against expectations. Snapchat told me on my first day of usage, in the app, that my friends can save my snaps and that I should keep this in mind, and while many users of Snapchat use it recklessly, I would guess that most are aware of the risks. Users carry much of the burden of responsibility now. But there's no such awareness of the risks of partial contents of a private facebook conversation not being publicly accessible, nobody is aware of this.<p>3) The response seems wholly unnecessary. It seems to me relatively trivial to require a security token to see this data, much like the rest of the chat itself.<p>Now I'm not particularly alarmed by the issue itself, it's one of those 'safety in numbers' kinds of things. A hacker would likely be more effective setting up a phishing website and buying an email database, than to collect links and then review them for sensitive data. But the response of FB feels inadequate and unnecessary to me.
This is one of the reasons many corporations have rules about only using internal messaging applications. Or, block external messaging apps. In environments I've managed, I've always enforced the rule: Anything confidential sent via a messaging app is no longer confidential.<p>Skype, Facebook & G+/GTalk have all "followed" URLs sent via their applications for at least a few years (that I have noticed). Anti-virus applications installed on computers have done it with URLs in email applications and such too.<p>One of the large A/V vendors (Trend or McAfee, I don't recall which) had a browser plugin that would follow all of your browsing activity. I used to be amused tailing logfiles to see a hit from a browser, then one of their corporate IPs with a "crawler"-like UA come along a few seconds later.<p><i></i>EDIT last line for clarity.
After hearing about people arrested for the content of their private chats on Facebook I basically act under the assumption that everything I do on Facebook is public.
FB also considers "won't fix" a bug I found a while ago that allows anyone to send anyone else on FB a spoofed email that comes from @facebook.com, without knowing their email address ¯\_(ツ)_/¯.
This probably isn't a popular opinion, but I fail to see how this is a problem with Facebook.<p>The Google Docs URL is public whether or not you send it through Facebook. It's only secret until someone guesses the link (Edit: maybe not mathematically in the case of Google Docs, but many other services use 'unlisted' URLs without having a long token to guess) - something they can do without the URL even going through Messenger.<p>If you're sharing passwords or confidential information via a public URL with no authentication and hoping nobody finds the address, you're asking for trouble. I don't blame Facebook for not doing anything about it.
<a href="https://m.facebook.com/composer/mbasic/?csid=2d645076-9e83-4e08-8b4b-d34978d631d5&cwevent=add_privacy&av=100001516340790&view_overview&privacyx=286958161406148&_rdr" rel="nofollow">https://m.facebook.com/composer/mbasic/?csid=2d645076-9e83-4...</a>
I was sent this link but upon opening it I'm redirected to a page that says I am not permitted to view such. Can anyone explain to me why I was sent this and what it could potentially mean?
It's infuriating to me as a user that certain aspects of a private 1-1 conversation are made public for a "feature" as trivial as a link preview, especially when it seems the fix would be as simple as having a larger, random identifier.<p>Does anyone know what will happen when Facebook Messenger is encrypted end to end?
This is only a lapse in security if you're relying upon URL obfuscation for security to begin with. It is only actionable if you can MITM or otherwise easedrop and find the graph ID.<p>Title rating: unreasonably alarmist
I've been using the destructible.io for temp links. It was posted here not too long ago, useful and if anyone else tries to access it, it deletes itself <a href="https://destructible.io" rel="nofollow">https://destructible.io</a>
This reminds me of the similar thing in Microsoft Office recently: it automatically shortened all links in documents, even private ones, with a URL shortener service. URL shortener services are, by design, easy to brute force enumerate. Cue popcorn...
Related to this, the W3C maintains a best-practices document about private ("capability") URLs:<p><a href="https://www.w3.org/TR/capability-urls/" rel="nofollow">https://www.w3.org/TR/capability-urls/</a>
What about WhatsApp? It fetches a page's title as soon as you type in a URL. I assume the fetching happens on the client, but does the URL (or the title itself) get uploaded somewhere?
Also see previous for more discussion: <a href="https://news.ycombinator.com/item?id=11868077" rel="nofollow">https://news.ycombinator.com/item?id=11868077</a>