Buzz
As you scroll through your Facebook News Feed, you encounter numerous posts and links. It's natural to hesitate before clicking on them. Just by skimming the title, description, thumbnail, and URL, you can decide whether it's safe to proceed or not
Be wary of YouTube URLs on Facebook; they could be fraudulent
Due to Facebook's abundance of spam, ad-driven content, and fake news, users often refrain from clicking on these links. Content from legitimate websites like Instagram or YouTube, however, garners more interest and engagement. Nonetheless, users should exercise caution as YouTube URLs on Facebook could be deceptive.
Although links shared on Facebook cannot be edited beforehand, measures have been taken to prevent the spread of misinformation and fake content. However, spammers can still manipulate shared link attributes to deceive users into visiting unwanted or harmful websites. This could lead to Facebook account compromise, necessitating the creation of a new account and the reconnection with acquaintances.
Security researcher Barak Tawily has uncovered a simple technique that any user can employ to spoof URLs by exploiting the Facebook link preview functionality.
Despite the measures taken by social media giant Facebook to prevent the dissemination of false information, spammers persist in finding new ways to deceive users. Tawily's discovery underscores the ongoing challenge of combating online deception.
Fundamentally, Facebook scans various parts of shared links, including the Open Graph meta tags, to determine page attributes such as 'og:url', 'og:image', and 'og:title' for fetching URL, thumbnail image, and title.
Exercise caution with YouTube URLs on Facebook as they could be counterfeit links.
An interesting point is that Tawily discovered Facebook doesn't verify if the link mentioned in the 'og:url' meta tag matches the page's URL, enabling spammers to spread malicious websites on Facebook using counterfeit URLs by adding legitimate URLs into the 'og:url' within the Open Graph meta tag on their website.
In response to The Hacker News, Tawily stated: 'All Facebook users typically assume that the preview data displayed on Facebook is reliable, and they will click on links they are interested in. However, this invisibly creates an opportunity for attackers. They can exploit this feature to carry out various attacks, including scam/advertising/pay-per-click campaigns.'
Despite Tawily reporting this issue to Facebook, the social media giant dismissed it as a security loophole and stated that Facebook utilizes “Linkshim” for protection, thwarting such attacks.
You may not be aware, but when users click on a link on Facebook, a system called “Linkshim” checks the URL to determine if it's malicious, safeguarding users from fraudulent and harmful websites.
However, if attackers are using a new domain to create counterfeit links, Linkshim may struggle to determine if they are malicious.
Although Linkshim utilizes machine learning to scan content and identify malicious websites, Tawily discovered that its protective mechanism can be bypassed by providing harmless content to Facebook bots based on User-Agent or IP address.
Since there's no way to verify the actual URL after it's shared on Facebook except by opening it, users can safeguard their Facebook accounts and information by exercising caution and vigilance before clicking to open a link.
The same goes for using Facebook on mobile devices; be careful when clicking on shared links as getting your phone infected with malware is highly dangerous. You can download Facebook for your device here:
- Download Facebook for iPhone
- Download Facebook for Android
