Can the below Facebook link reveals the identity of the person who clicks it - http://www.facebook.com/profile php ?

471    Asked by ShibataTakagi in SQL Server , Asked on Oct 20, 2022

Is it technically possible to reveal the identity in Facebook of a person who clicks this specially crafted link - http://www.facebook.com/profile.php


Answered by Susan Connor

No, this isn't possible. Otherwise https://facebook.com - profile php would also reveal your identity: it opens a page with your name on it and everything from your stream.


What you are thinking about can be done with a cross-site scripting attack. This would inject a script into the page, which can do whatever it wants with the website. It can send info it gathered to the attacker, post messages for you, etc.

Facebook is not currently known to be vulnerable for cross-site scripting. It's very easy to patch this vulnerability, so if such a breach were found, it would be gone within an hour or two after discovery (pushing the update live takes a while). Meanwhile they could take that part of the website down.

For your reference, an example of an attack URL could be: https://example.com/search?q=">[removed][removed] To obscure this, an attacker would probably encode it:

https://example.com/search?q=">[removed][removed]

The only way this attack could be performed without Facebook themselves being vulnerable, is when the page is loaded over HTTP (not HTTPS) and an attacker can control the connection (like on a public WiFi network), or when you are using an old browser such as Internet Explorer 6. Or related things like Flash Player being very old, or you having a virus... But these are all external factors and not a vulnerability in the way that you described (finding an identity by a specially crafted url or page).



Your Answer

Interviews

Parent Categories