Warning: The YouTube URL shared on Facebook may be deceptive

Because Facebook is full of spam, games or fake news, not everyone clicks on every link they see. But if links from popular sites like YouTube or Instagram are more likely to make you believe. But what if even links from a reputable site take you to trouble?

While browsing the News Feed on Facebook, how do you decide whether to click on a link?

For each shared link, Facebook and Messenger display the title, description, thumbnail and URL. This information is probably enough to decide whether you want to open the link or not.

Because Facebook is full of spam, games or fake news, not everyone clicks on every link they see. But if links from popular sites like YouTube or Instagram are more likely to make you believe.

But what if even links from a reputable site take you to trouble?

Even before Facebook did not allow link editing after sharing to prevent fake information, the technology giant did not let Pages edit the title, description and thumbnail of the link from July 2017.

See also: Facebook does not edit titles and preview links to prevent fake information

However, researcher Barak Tawily has discovered a small trick that allows anyone to falsify a URL to trick users into opening pages they don't want, through the way Facebook takes the preview link.

Facebook scans the link to get Open Graph data tags and determines the properties of the page, namely 'og: url', 'og: image' and 'og: title' for URL, thumbnail and title.

Tawily found that Facebook will not validate if the link on the 'og: url' meta tag matches the URL of the page. So an attacker can distribute malicious code on Facebook via a fake URL by adding a legitimate URL to the Open Graph 'og: url' tag on the website.

Warning: The YouTube URL shared on Facebook may be deceptive Picture 1 Warning: The YouTube URL shared on Facebook may be deceptive Picture 1
A little editing of Open Graph markup is possible to create fake links

Tawily reported this issue to Facebook, but received feedback that they did not consider it a security issue because Facebook already had Linkshim to handle these types of attacks.

Linkshim is when Facebook checks that URL with a blacklist of malicious URLs to avoid phishing and malware sites. If an attacker uses a new domain to create a fake link, Linkshim is hard to recognize.

Although Linkshim uses machine learning to detect malicious pages that have never been detected by scanning content, Tawily believes that this protection mechanism may not work when the page intentionally takes malicious content. Go to Facebook bot based on User-Agent or IP address.

Tawily also released a video describing this type of attack.

Since there is no way to check the actual URL behind the share link before opening it, users can hardly do anything.