Manage Learn to apply best practices and optimize your operations.

Do Facebook URL security concerns justify blocking social networks?

Michael Cobb explains why the privacy concerns with Facebook URLs are not a serious threat to the enterprise.

I read recently that certain Facebook URLs can reveal users' browsing histories. Is this a serious security concern, and is it a valid reason to consider restricting or blocking Facebook and/or other social networking websites on our corporate network?
I wouldn't classify this as a serious security concern. The Facebook URL setting that you mention, though, raises privacy issues and could lead to an embarrassing situation.

Like all Web 2.0 sites, Facebook uses Ajax technology to provide increased functionality and a better user experience. One method that Facebook uses to improve page load times involves concatenating, or joining character strings and link information, to the end of a URL. However, this means the URL for the profile you've just visited is still present in the new Facebook URL. If you copy and send this URL to someone else, they will be able to discern the previous step in your Facebook browsing history. As I said, this isn't a major security issue, but it does create an unnecessary, and potentially embarrassing, leak of personal information. For example, it could contain a link to a support or action group that you'd prefer to keep private.

You can avoid this particular problem simply by manually refreshing a Facebook page before you copy the URL from your address bar, as this removes any references to previous pages. I'm not sure how you could make the refresh an enforceable step in your acceptable usage policy, but I would certainly make your users aware of the issue.

The problem may well be something that you take into account when deciding to block social networks from your corporate network, but I think greater social network concerns are time wasting, data leakage, malware attacks and bullying.

You should, of course, be aware of the many other ways that Web browsing history is stored and accessible. First, there's the browser's address box, which presents previously typed addresses in a drop-down box. Ctrl+H brings up the browser's history panel that logs the date, time and Web address of every page visited. These features can be either handy or embarrassing, depending on who's watching over your shoulder. Thankfully, this data can be easily purged. With Internet Explorer, click on Tools, then Internet Options, then click the Delete Browsing History button. For Firefox users, click Tools then Options, select the Privacy tab and click the Clear Now button. Both browsers give you the option to clear your browsing history when closing them and delete all data that they may collect while you're browsing, such as cookies and saved form data. In IE 7 and 8, these actions now also delete the corresponding entries in the index.dat files, another store of browsing activities.

Note: If you're wondering how useful browser history data can be to an attacker, there's a website that can pretty accurately determine your gender just by analyzing your browser history. This site's just for fun, but the same data can just as easily be misused by an attacker.

This was last published in October 2009

Dig Deeper on Web application and API security best practices

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.