Warning: The YouTube URL shared on Facebook may be deceptive
Because Facebook is full of spam, games or fake news, not everyone clicks on every link they see. But if links from popular sites like YouTube or Instagram are more likely to make you believe. But what if even links from a reputable site take you to trouble?
While browsing the News Feed on Facebook, how do you decide whether to click on a link?
For each shared link, Facebook and Messenger display the title, description, thumbnail and URL. This information is probably enough to decide whether you want to open the link or not.
Because Facebook is full of spam, games or fake news, not everyone clicks on every link they see. But if links from popular sites like YouTube or Instagram are more likely to make you believe.
But what if even links from a reputable site take you to trouble?
Even before Facebook did not allow link editing after sharing to prevent fake information, the technology giant did not let Pages edit the title, description and thumbnail of the link from July 2017.
See also: Facebook does not edit titles and preview links to prevent fake information
However, researcher Barak Tawily has discovered a small trick that allows anyone to falsify a URL to trick users into opening pages they don't want, through the way Facebook takes the preview link.
Facebook scans the link to get Open Graph data tags and determines the properties of the page, namely 'og: url', 'og: image' and 'og: title' for URL, thumbnail and title.
Tawily found that Facebook will not validate if the link on the 'og: url' meta tag matches the URL of the page. So an attacker can distribute malicious code on Facebook via a fake URL by adding a legitimate URL to the Open Graph 'og: url' tag on the website.
A little editing of Open Graph markup is possible to create fake links
Tawily reported this issue to Facebook, but received feedback that they did not consider it a security issue because Facebook already had Linkshim to handle these types of attacks.
Linkshim is when Facebook checks that URL with a blacklist of malicious URLs to avoid phishing and malware sites. If an attacker uses a new domain to create a fake link, Linkshim is hard to recognize.
Although Linkshim uses machine learning to detect malicious pages that have never been detected by scanning content, Tawily believes that this protection mechanism may not work when the page intentionally takes malicious content. Go to Facebook bot based on User-Agent or IP address.
Tawily also released a video describing this type of attack.
Since there is no way to check the actual URL behind the share link before opening it, users can hardly do anything.
You should read it
- How to customize the link share on Facebook
- How to link Instagram to Facebook
- Add applications and links to YouTube, Vimeo and Facebook videos
- A simple way to link your Facebook account to Gmail
- Facebook does not allow to edit titles and preview links to prevent fake information
- How to display links and thumbnails when sharing articles on Facebook
- 3 ways to post and share YouTube videos on Facebook wall
- Fix IDM error without downloading download link
- Check and detect broken links on any website
- How to use the Save feature on Facebook
- Did you know how to add YouTube channel to Facebook Fanpage?
- How to insert links, links, Hyperlinks in Gmail
Maybe you are interested
Apple TV Plus offers free access to some original programming 8 best 4K streaming devices in 2019 Viettel is the first and only network operator in Vietnam to support eSIM according to Apple standards How to check whether Viettel subscribers need additional personal information before April 24 or not Installing Internet at home: Optical cable or copper cable? Comfortable talking without worrying about burning bags with Viettel's Duale1 package