Do more on the web, with a fast and secure browser!

Download Opera browser with:

  • built-in ad blocker
  • battery saver
  • free VPN
Download Opera

Facebook Messenger sidebar: opening a picture in a new tab publishes the picture to Internet, doesn't it?

  • Hello, Opera users and developers!

    Please explain me where I am wrong: start with Facebook Messenger in Opera sidebar and try this: pick any picture from any chat and choose "open picture in a new tab" via right mouse click. The picture will open in a new tab with a long address of the form https://scontent-arn2-1.xx.fbcdn.net/v/t1.15752-0/p480x480/86935027_ ... 657347d84&oe=5EB56DEF .

    This address is public one (accessible by anyone with Internet access)! I've checked it by various means, e.g. by sending the link to my other PC, where I was not logged on to Facebook, it successfully opened that very picture. So the picture did not come from any local cash on that other PC, Also it worked with other browsers, where I was not logged on to Facebook.

    1. Does it mean anytime I choose "open image in new tab" Opera sends a the raw unprotected image from the chat to a public host?

    2. Does it mean the chat data in the messenger sidebar are unprotected even before "open image in new tab" is implemented?

    I hope I am wrong, but at the moment it looks like chilling.

    Best regards,
    ouser91.

    Win 7, Dell, 8GB RAM

  • No. If anyone can access the image it is because Facebook is not requiring a password. Opera doesn't own the fbcdn domain - Facebook does.

  • Anyway the images get public.

  • Try it without using Open image - there should be an option called Copy image address on the menu too. Type that address on another computer (or just open a private window and paste it in the address bar) and see if it opens. If it does, then the image always was public as long as you knew the address.

  • It works either. So, it makes your chat images accessible to everyone with Internet access.

  • @ouser91 The picture's URL is the digital pathway into the hosting server where the image is stored. If user-access authentication when visiting that URL isn't being required, that's a basic issue (or 'fault') with the picture's server and its operators - in this case, Facebook. While that picture can apparently be accessed by anyone following the exact same URL path, the address structure itself is rather complex, which provides a modest level of access limitation. Facebook is apparently relying on the fact that one must have the full, correct address to access the picture; so in that sense, the picture hasn't been made fully public unless one knows (or can guess) the correct full address. Regardless, that is indeed a weak 'security' approach.

    In any case, it reinforces the wisdom that publishing pictures to the Internet in any way should be done with the expectation that they are never fully "private" - if only because the hosting system will have access and can either mine the images or be hacked (internally by employees or externally by 'black hats')... as various celebrities have discovered to their embarassment or extortion.

  • @blackbird71 Understood, but let's not mess voluntary publishing to Internet with chatting in Messenger. When, e.g. in Google Drive, one chooses to share an image, there is an option to create a shareable link, and there is an alert saying the image will be accessible to everyone with the link. Here, with Facebook sidebar, one does not publish anything, the unsuspecting users just operate on their local PCs, and that creates public links to the file. I think chats are supposed to be fully private, and FB might share some metadata/maybe even data samples in anonymized form to sell you ads, but 100% not make raw images visible to everybody, w/o notifying you.

  • You try it in a regular Facebook tab? Or in a different browser to start with? Facebook has never been known for their security,,,

  • @sgunhouse Thank you for the prompt responses indeed. At the same time, I don't think going back and forth with details is a constructive approach here. I think I have described the issue in full. Anyone with Facebook and Opera is free to check that with a couple of clicks.

Log in to reply