Facebook timeline as well as Messenger display title, description, thumbnail icon as well as URL of every shared-link, as well as this information are plenty to create upwards one's heed if the content is of your involvement or not.
Since Facebook is amount of spam, clickbait as well as simulated tidings articles these days, close users practice non click every bit link served to them.
But yes, the possibility of opening an article is much higher when the content of your involvement comes from a legitimate as well as authoritative website, similar YouTube or Instagram.
However, what if a link shared from a legitimate website lands y'all into trouble?
Even earlier links shared on Facebook could non endure edited, but to terminate the spread of misinformation as well as mistaken news, the social media giant besides removed the might for Pages to edit title, description, thumbnail icon of a link inwards July 2017.
However, it turns out that—spammers tin spoof URLs of the shared-links to fox users into visiting pages they practice non expect, redirecting them to phishing or simulated tidings websites amongst malware or malicious content.
Discovered past times 24-year-old safety researcher Barak Tawily, a uncomplicated fox could permit anyone to spoof URLs past times exploiting the way Facebook fetch link previews.
In brief, Facebook scans shared-link for Open Graph meta tags to determine page properties, specifically 'og:url', 'og:image' as well as 'og:title' to fetch its URL, thumbnail icon as well as championship respectively.
Interestingly, Tawily institute that Facebook does non validate if the link mentioned inwards 'og:url' meta tag is same every bit the page URL, allowing spammers to spread malicious spider web pages on Facebook amongst spoofed URLs past times merely adding legitimate URLs inwards 'og:url' Open Graph meta tag on their websites.
"In my opinion, all Facebook users recall that preview information shown past times Facebook is reliable, as well as volition click the links they are interested in, which makes them easily targeted past times attackers that abuse this characteristic inwards society to perform several types of attacks, including phishing campaigns/ads/click fraud pay-per-click," Tawily told The Hacker News.Tawily reported the lawsuit to Facebook, but the social media giant refused to recognise it every bit a safety flaw as well as referred that Facebook uses "Linkshim" to protect against such attacks.
If y'all are unaware, every fourth dimension a link is clicked on Facebook, a organisation called "Linkshim" checks that URL against the company's ain blacklist of malicious links to avoid phishing as well as malicious websites.
This agency if an assaulter is using a novel domain for generating spoofed links, it would non endure slow for Linkshim organisation to seat if it is malicious.
Although Linkshim besides uses motorcar learning to seat never-seen-before malicious pages past times scanning its content, Tawily institute that the protection machinery could endure bypassed past times serving non-malicious content explicitly to Facebook bot based on User-Agent or IP address.
Since at that spot is no way to banking firm tally the actual URL behind a shared link on Facebook without opening it, at that spot is a niggling user tin practice to protect themselves except existence vigilant.
