Warning: The YouTube URL shared on Facebook may be deceptive
While browsing the News Feed on Facebook, how do you decide whether to click on a link?
For each shared link, Facebook and Messenger display the title, description, thumbnail and URL. This information is probably enough to decide whether you want to open the link or not.
Because Facebook is full of spam, games or fake news, not everyone clicks on every link they see. But if links from popular sites like YouTube or Instagram are more likely to make you believe.
But what if even links from a reputable site take you to trouble?
Even before Facebook did not allow link editing after sharing to prevent fake information, the technology giant did not let Pages edit the title, description and thumbnail of the link from July 2017.
See also: Facebook does not edit titles and preview links to prevent fake information
However, researcher Barak Tawily has discovered a small trick that allows anyone to falsify a URL to trick users into opening pages they don't want, through the way Facebook takes the preview link.
Facebook scans the link to get Open Graph data tags and determines the properties of the page, namely 'og: url', 'og: image' and 'og: title' for URL, thumbnail and title.
Tawily found that Facebook will not validate if the link on the 'og: url' meta tag matches the URL of the page. So an attacker can distribute malicious code on Facebook via a fake URL by adding a legitimate URL to the Open Graph 'og: url' tag on the website.
A little editing of Open Graph markup is possible to create fake links
Tawily reported this issue to Facebook, but received feedback that they did not consider it a security issue because Facebook already had Linkshim to handle these types of attacks.
Linkshim is when Facebook checks that URL with a blacklist of malicious URLs to avoid phishing and malware sites. If an attacker uses a new domain to create a fake link, Linkshim is hard to recognize.
Although Linkshim uses machine learning to detect malicious pages that have never been detected by scanning content, Tawily believes that this protection mechanism may not work when the page intentionally takes malicious content. Go to Facebook bot based on User-Agent or IP address.
Tawily also released a video describing this type of attack.
Since there is no way to check the actual URL behind the share link before opening it, users can hardly do anything.
You should read it
- Add applications and links to YouTube, Vimeo and Facebook videos
- A simple way to link your Facebook account to Gmail
- Facebook does not allow to edit titles and preview links to prevent fake information
- How to display links and thumbnails when sharing articles on Facebook
- 3 ways to post and share YouTube videos on Facebook wall
- Fix IDM error without downloading download link
- Check and detect broken links on any website
- How to use the Save feature on Facebook
May be interested
- Use SEO to bring Google search results to bank trojanswhen you think you know all the tricks, malware teachers always have new tricks that surprise you.
- TorMoil vulnerability reveals true IP from Tor Browsertor project has released a security patch for tor browser on mac and linux to patch the vulnerability of revealing users' true ip address.
- GIBON extortion code spread through spama new ransomware called gibon, once again malspam (malware spread via email) attaches a malicious file and contains the download macro, installs the malicious code to blackmail the victim's computer.
- Tor Project increases users' security and privacy with the new Onion generationtor project is bringing big changes to its infrastructure to increase security and privacy for users on the onion network.
- Easily bypass the iPhone's authenticity thanks to the vulnerability on iOS 11this is certainly not the good news apple expects to receive after the iphone's launch days. a bug on ios 11 allows anyone to pass icloud authentication with the wrong password during initial screen setup.
- 25% of the 1.9 billion passwords and usernames bought on the black market are Google accountshackers often try to hack into google accounts, so google researchers have spent a year to see how they can steal user accounts.