A new, even-lower from Facebook aka. deception where you most expect it

When you post a link on Facebook , FB does a retrieval from where the link points to and sets up a little display of what that is. A small picture and some text collected from the page. To show you what’s at the end of the URL

And also shows the URL in full. This is where you are supposed to click. Those with some HTML knowledge, know that what is actually used by the browser when going to a link is not the text displayed on the page, which is meant to be human readable (and is contained inside the “a”-tags in the html) , but something else buried inside the markup (in the href attribute of the a-tag.  )

Most browsers show this true URL in the small bar at the bottom of the page when you hover the mouse of the URL. So you can see whare you are going before you click. Everyone should always se where they are about to go, before clicking. This is why I loath and fear link shorteners such as bit.ly, mush used by among others Linkedin (yes, Linkedin I am looking at you. Stop, stop, stop, stop doing that! Just Stop It !). since this makes looking at the real URL of a link before clicking pointless.

Enter Facebook. Trust them to go even lower. What they have done is to insert some javascript that shows the URL where you will end up on the browser bar when you hover over the link. But that is not where you go. You go to Facebook along with a tracking cookie. Then Facebook forwards you to your destination (The URL show on the page and on the browser bar). Along with yet another tracking cookie.

An example. Someone sent me a link in FB.

https : //www.youtube.com/watch?v=JFozGfxmi8A%26fbclid%3DIwAR2zZCr0sL4fK4e8j1ryxM0TPEG9xx3hd3A1dGk_JymRVNoV_QXGmUDMpPs

This is the link show in the bowser bar and is where you’d have reason to think you are going.

But this is where you actually go

https : //l.facebook.com/l.php?u=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DJFozGfxmi8A%26fbclid%3DIwAR2zZCr0sL4fK4e8j1ryxM0TPEG9xx3hd3A1dGk_JymRVNoV_QXGmUDMpPs&h=AT1L4MNrBbYwyU4ze1nB3HUjfFQkoe5rq4i03bK3UtgTXK5PWiD-r721CMIZHl40J6XIf5n1EOHDq6MsfNYYcFMRCSnxmJBAKcjGT3wFyTN2tiPe7L-EVXkPAkd4c9yzwd0kzlcaa08oGcgYX0k_NAb0_GAHTw&__tn__=R]-R&c[0]=AT0ZA5Vg7zjuFtOFS7aRmqMPT-xnxv6lOAxQm5SgwNAfkvX8d8Her7MMmIUgEl3R7P7QAinPyU-rhi67C_Yhfbdn2jc3-3xtWgZQqGRCg7-_Kob-6kWjvRVHQpTwly3y5efDT9xme_Z-MT8GR1xn

To see this value, slink use the “copy link address” in the right-click context menu on the link.

Breaking to down:

Yep, were off to facebook alright.

https : / / l . facebook . com / l.php?

And here is where we were told we’re going.

u=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DJFozGfxmi8A%26fbclid%3DIwAR2zZCr0sL4fK4e8j1ryxM0TPEG9xx3hd3A1dGk_JymRVNoV_QXGmUDMpPs&

and here is the tracking cookie

h=AT1L4MNrBbYwyU4ze1nB3HUjfFQkoe5rq4i03bK3UtgTXK5PWiD-r721CMIZHl40J6XIf5n1EOHDq6MsfNYYcFMRCSnxmJBAKcjGT3wFyTN2tiPe7L-EVXkPAkd4c9yzwd0kzlcaa08oGcgYX0k_NAb0_GAHTw&

__tn__=R]-R&

c[0]=AT0ZA5Vg7zjuFtOFS7aRmqMPT-xnxv6lOAxQm5SgwNAfkvX8d8Her7MMmIUgEl3R7P7QAinPyU-rhi67C_Yhfbdn2jc3-3xtWgZQqGRCg7-_Kob-6kWjvRVHQpTwly3y5efDT9xme_Z-MT8GR1xn

There we have it. Facebook, when clicked takes them to Facebook first.

Not altogether unrelated. Facebook also take other steps to prevent users from ferreting out what they are up to. Try switching on the web console on you browser and Facebook send instructions to you browser to switch it off. Yes, repeating that last bit. FB actually sends JavaScript to your browser to kill the web console if you have it running in your browser. That is some shit.  The redirect is not through the HTTP 403 but rather trough JavaScript in the html page being sent. That JavaScript kills the webconsole as well as directing your browser to the desired destination. And setting some cookies.

You can switch on the webconsole again and if you do you are presented with the following message.

Sorry, that is in Swedish (I am behind a proxy)They claim , rightly, that this tool you are seeing this message in is for developers.

Of course, I still have plugins such as HTTP Header Live and HTTP-Tracker which FB can’t touch.

So FB are not only actively trying to deceive their users about what they are doing, they are also taking direct steps to prevent that deception from being uncovered.

Sorry, that is in Swedish (I am behind a proxy)They claim , rightly, that this tool you are seeing this message in is for developers.

Of course, I still have plugins such as HTTP Header Live and HTTP-Tracker which FB can’t touch.

So FB are not only actively trying to deceive their users about what they are doing, they are also taking direct steps to prevent that deception from being uncovered.