It hardly crosses most people’s mind that they ought to exercise caution before they click a link or a URL on Facebook.
Facebook Messenger and timeline provides information that includes title, description, thumbnail image and URL of every shared-link, all which is sufficient to aid you in deciding whether the content in question is ideal for you to click.
It’s worth keeping in mind that Facebook has clickbait, spam, and fake news articles, most people are aware of this and they hardly click every link they stumble upon. However, there’s a great possibility of opening an article when the content of your interest comes from a legitimate and authoritative website, like Instagram or YouTube.
In some cases, some of the shared links might land you into trouble. However, Facebook managed to eliminate the ability for pages to edit the description, thumbnail image and titles of a link in July 2017. All this was done to stop the spread of false news and misinformation.
But this was not enough to curb spammers, they now have the ability to spoof URLs of the shared-links to trick users into visiting pages they do not expect, redirecting them to phishing or fake news websites with malicious content or malware.
The flaw was discovered by a 24-year-old security researcher Barak Tawily, who discovered that a simple trick could allow anyone to spoof URLs by exploiting the way Facebook fetch link previews.
The social media giant scans shared-link for Open Graph meta tags to determine page properties, specifically 'og:url', 'og:image' and 'og:title' to fetch its URL, thumbnail image and title respectively. However, Tawily found that Facebook does not validate if the link mentioned in 'og:url' meta tag is same as the page URL, allowing spammers to spread malicious web pages on Facebook with spoofed URLs by just adding legitimate URLs in 'og:url' Open Graph meta tag on their websites.
"In my opinion, all Facebook users think that preview data shown by Facebook is reliable, and will click the links they are interested in, which makes them easily targeted by attackers that abuse this feature in order to perform several types of attacks, including phishing campaigns/ads/click fraud pay-per-click," Tawily told The Hacker News.
He also reported the flaw to Facebook, however, the social media giant refused to recognize it as a security flaw and referred that Facebook uses "Linkshim" to protect against such attacks. A system called "Linkshim" checks that URL against the company's own blacklist of malicious links to avoid phishing and malicious websites.
This presents a problem because if an attacker uses a new domain for generating spoofed links, it becomes hard for Linkshim system to identify if it is malicious. Tawily also found that the protection mechanism could be bypassed by serving non-malicious content explicitly to Facebook bot based on User-Agent or IP address.