Facebook timeline as well as Messenger display title, description, thumbnail icon as well as URL of every shared-link, as well as this information are plenty to create upwards one's heed if the content is of your involvement or not.
Since Facebook is amount of spam, clickbait as well as faux intelligence articles these days, nearly users practise non click every minute link served to them.
But yes, the possibility of opening an article is much higher when the content of your involvement comes from a legitimate as well as authoritative website, similar YouTube or Instagram.
However, what if a link shared from a legitimate website lands y'all into trouble?
Even earlier links shared on Facebook could non hold upwards edited, but to halt the spread of misinformation as well as mistaken news, the social media giant too removed the mightiness for Pages to edit title, description, thumbnail icon of a link inwards July 2017.
However, it turns out that—spammers tin post away spoof URLs of the shared-links to play tricks users into visiting pages they practise non expect, redirecting them to phishing or faux intelligence websites amongst malware or malicious content.
Discovered yesteryear 24-year-old safety researcher Barak Tawily, a unproblematic play tricks could permit anyone to spoof URLs yesteryear exploiting the way Facebook fetch link previews.
In brief, Facebook scans shared-link for Open Graph meta tags to determine page properties, specifically 'og:url', 'og:image' as well as 'og:title' to fetch its URL, thumbnail icon as well as championship respectively.
Interestingly, Tawily works life that Facebook does non validate if the link mentioned inwards 'og:url' meta tag is same equally the page URL, allowing spammers to spread malicious spider web pages on Facebook amongst spoofed URLs yesteryear only adding legitimate URLs inwards 'og:url' Open Graph meta tag on their websites.
"In my opinion, all Facebook users remember that preview information shown yesteryear Facebook is reliable, as well as volition click the links they are interested in, which makes them easily targeted yesteryear attackers that abuse this characteristic inwards social club to perform several types of attacks, including phishing campaigns/ads/click fraud pay-per-click," Tawily told The Hacker News.Tawily reported the effect to Facebook, but the social media giant refused to recognise it equally a safety flaw as well as referred that Facebook uses "Linkshim" to protect against such attacks.
If y'all are unaware, every fourth dimension a link is clicked on Facebook, a organization called "Linkshim" checks that URL against the company's ain blacklist of malicious links to avoid phishing as well as malicious websites.
This agency if an assaulter is using a novel domain for generating spoofed links, it would non hold upwards slow for Linkshim organization to set if it is malicious.
Although Linkshim too uses automobile learning to set never-seen-before malicious pages yesteryear scanning its content, Tawily works life that the protection machinery could hold upwards bypassed yesteryear serving non-malicious content explicitly to Facebook bot based on User-Agent or IP address.
Since at that topographic point is no way to banking enterprise fit the actual URL behind a shared link on Facebook without opening it, at that topographic point is a petty user tin post away practise to protect themselves except beingness vigilant.
Share This :
comment 0 Comments
more_vert