While scrolling on Facebook how you decide which link/article should be clicked or opened?
Facebook timeline and Messenger display title, description, thumbnail image and URL of every shared-link, and this information are enough to decide if the content is of your interest or not.
Since Facebook is full of spam, clickbait and fake news articles these days, most users do not click every second link served to them.
But yes, the possibility of opening an article is much higher when the content of your interest comes from a legitimate and authoritative website, like YouTube or Instagram.
However, what if a link shared from a legitimate website lands you into trouble?
Discovered by 24-year-old security researcher Barak Tawily, a simple trick could allow anyone to spoof URLs by exploiting the way Facebook fetch link previews.
In brief, Facebook scans shared-link for Open Graph meta tags to determine page properties, specifically ‘og:url’, ‘og:image’ and ‘og:title’ to fetch its URL, thumbnail image and title respectively.
Interestingly, Tawily found that Facebook does not validate if the link mentioned in ‘og:url’ meta tag is same as the page URL, allowing spammers to spread malicious web pages on Facebook with spoofed URLs by just adding legitimate URLs in ‘og:url’ Open Graph meta tag on their websites.
“In my opinion, all Facebook users think that preview data shown by Facebook is reliable, and will click the links they are interested in, which makes them easily targeted by attackers that abuse this feature in order to perform several types of attacks, including phishing campaigns/ads/click fraud pay-per-click,” Tawily told The Hacker News.
Tawily reported the issue to Facebook, but the social media giant refused to recognise it as a security flaw and referred that Facebook uses “Linkshim” to protect against such attacks.
Although Linkshim also uses machine learning to identify never-seen-before malicious pages by scanning its content, Tawily found that the protection mechanism could be bypassed by serving non-malicious content explicitly to Facebook bot based on User-Agent or IP address.
Tawily has also provided a demo video to show the attack in action. You can watch the video above.
Since there is no way to check the actual URL behind a shared link on Facebook without opening it, there is a little user can do to protect themselves except being vigilant.
Article appeared on: