Israeli researcher cautions on social media links

By Balamurugan Selvaraj Published on Nov 15, 2017 10:49 AM IST


Would you agree if someone says that links shared by close people seem to be more vulnerable than exploits in the dark web? You would agree if the someone is a security researcher. A few weeks ago, security researcher Barak Tawily from Israel found some flaws with the links being shared on social media.

The researcher found the flaw while surfing on Facebook. What he found was the smart work of spammers to earn pay-per-click revenue. As soon as he spotted it, he contacted the authorities of Facebook. Refuting his claims, Facebook replied that the posts in the forum may contain user-generated content, and the risk of such posts seems to be low, even under

Also, the content spoofing bugs seem to be low-risk and low-impact, to fraud the Facebook security system with malicious links by providing fake data.

In such a screaming situation, the researcher thought to fool his Facebook friends with the flaw he found. Two weeks back, the researcher posted a fake YouTube link with the malicious attachment leading to Being malicious, the link was removed by Facebook. Later on, he tried with a fake, but not malicious link. And it has successfully bypassed the Facebook security bot.

Despite the links not being malicious, the researcher predicts the possibilities of being bulled and spammed by someone, who can even loot the user data with non-malicious fake links. Considering this to be future-alarming, the researcher warns users not to believe the links shared by someone, even close ones.

News Today contacted the researcher and had an exclusive interview over mail.


Do these malicious links spread only via Facebook or do they spread by other means of social media?

Not only Facebook, they are viral in other platforms like WhatsApp and Slack. Despite the sense of maliciousness, they still show you the original URL. So, it is less critical, compared to other vulnerabilities.

Are these links made and spread through black hat SEO?

Perhaps. Facebook and the other social media do not validate the URL. Though the og:url tag is same, they do it on purpose. For shorten links and other legitimate cases, one can use other URL in the og:url content.

Like play protect, does social media need a security system to filter those spammers? How should the security system be?

Yes, we need such a security system. Facebook has a security system called Linkshim. Perhaps, the system can be easily bypassed.

Do you agree that shorten links are malicious?

No, there are many cases where shorten links are legit. Still, it is in common use and also used by spammers. Through the attack, one doesn't need to use those shorten url and can simply fake the url displayed. And shorten URL, just makes you shorten URLs; so, instead of supplying users long URL, you just create a short one.

How should Linkshim be? Can you suggest something to prevent or filter malicious links from being posted?

There are two ways to detect Linkshim - its IP, and its user agent. In order to make it difficult to the attacker from detecting, one can send a generic browser user agent, and access the supplied URL from multiple IPs. So, the attacker's code won't be detected, despite the request received from the IP owned by Facebook.