Facebook URLs can reveal your browsing history

Ever copied a Facebook link from your address bar and pasted it to someone? If you have, there’s a possibility you also sent that person a snippet of your Facebook browsing history. In this article, FBHive explains how and why this happens, and what can be done to prevent it.

Facebook uses AJAX technology to allow users to navigate around the site without having to reload every page. This creates a more streamlined user experience, allows Facebook Chat to work more smoothly and, I suspect, reduces the server load for Facebook. There is however, one major flaw with the way Facebook implements this system.

Every time you start browsing Facebook, the page opens with a pretty normal URL. For example:

url1

This is a fairly standard URL, with a page and a “GET variable” which specifies the individual profile you are viewing.

It’s when you begin to navigate from this point onwards that things get interesting. If you hover over a link to another page, you will once again see a fairly normal URL in your browser’s status bar. The following image shows what hovering over the link to Inbox will display…

url2

Clicking on the link however, does not navigate to this URL. Instead it simply adds an anchor or fragment to the end of your current one. Facebook alters the URL in this way to allow linking without requiring a page reload. There is, however, one small problem – the URL in your browser is now the following:

url3

You’ll notice the URL for the profile you just visited is still sitting in the current URL.

Why is this a problem? 
Besides making the URL look messy, the bigger issue is that people do not even realise this “history” is there. People often copy and paste links like the one above without realising that a page they’ve visited (possibly hours ago) is still easily discernible.

For example:

  • You link a friend to a photo from a party you attended the night before, not realising you’ve also revealed that you were perving on his sister’s profile earlier.
  • You send your boss a link to your company’s Facebook Page. Unbeknownst to you, it also contains a URL to photos of the party you pulled a sick day for.
  • You link your Dad to your cousin’s Facebook profile, not realising you’ve also sent him the URL of a Facebook support group for transgender people, a personal preference you were keeping from him.

The fault is not entirely Facebook’s. This is more of a problem with the way URLs work, which provide very little support for permalinks when AJAX is used. Facebook have merely done it this way as a work-around, and they’re not the only site to do so. However, it becomes a bigger issue on Facebook when you are dealing with the personal details of real people.

How can this be avoided?
Simply refresh the page manually before you copy the URL from your address bar. This will automatically remove all previous page references, and makes the link look much cleaner as well.