Like all Web 2.0 sites, Facebook uses Ajax technology to provide increased functionality and a better user experience....
One method that Facebook uses to improve page load times involves concatenating, or joining character strings and link information, to the end of a URL. However, this means the URL for the profile you've just visited is still present in the new Facebook URL. If you copy and send this URL to someone else, they will be able to discern the previous step in your Facebook browsing history. As I said, this isn't a major security issue, but it does create an unnecessary, and potentially embarrassing, leak of personal information. For example, it could contain a link to a support or action group that you'd prefer to keep private.
You can avoid this particular problem simply by manually refreshing a Facebook page before you copy the URL from your address bar, as this removes any references to previous pages. I'm not sure how you could make the refresh an enforceable step in your acceptable usage policy, but I would certainly make your users aware of the issue.
The problem may well be something that you take into account when deciding to block social networks from your corporate network, but I think greater social network concerns are time wasting, data leakage, malware attacks and bullying.
You should, of course, be aware of the many other ways that Web browsing history is stored and accessible. First, there's the browser's address box, which presents previously typed addresses in a drop-down box. Ctrl+H brings up the browser's history panel that logs the date, time and Web address of every page visited. These features can be either handy or embarrassing, depending on who's watching over your shoulder. Thankfully, this data can be easily purged. With Internet Explorer, click on Tools, then Internet Options, then click the Delete Browsing History button. For Firefox users, click Tools then Options, select the Privacy tab and click the Clear Now button. Both browsers give you the option to clear your browsing history when closing them and delete all data that they may collect while you're browsing, such as cookies and saved form data. In IE 7 and 8, these actions now also delete the corresponding entries in the index.dat files, another store of browsing activities.
Note: If you're wondering how useful browser history data can be to an attacker, there's a website that can pretty accurately determine your gender just by analyzing your browser history. This site's just for fun, but the same data can just as easily be misused by an attacker.
Dig Deeper on Web application and API security best practices
Related Q&A from Michael Cobb
Expert Michael Cobb details how to argue for a multistep secure code review process, like Microsoft SDL, and the pros of secure coding practices. Continue Reading
Researchers developed a tool to help prevent improper certificate pinning that causes security issues. Expert Michael Cobb reviews the issue and the ... Continue Reading
Google Project Zero discovered a WPAD attack that could target systems running Windows 10. Expert Michael Cobb explains how the attack works and how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.