Hatter says that as a security research outfit Blackhat Academy follows responsible disclosure and notified Facebook of the content cloaking issue at the end of July. Despite this, the method still works.
"We're well aware of the content forgery technique described and have built protections into our systems to account for it," a Facebook spokesman said via email.
"The content returned when we crawl a shared link is only one of many signals we use to combat spam and abuse on Facebook. We know that this content can change between visits, and therefore can't always be trusted, and our systems account for that," he added.
Earlier this year, Facebook signed a partnership with Web of Trust (WOT), an organization that maintains a community-driven spam URL block list. However, it's well-known that blacklisting is not very efficient and there can be a significant window of exposure between the time when a URL starts being spammed and the time when it's flagged by such a system.
At the very least, content cloaking can be a powerful social engineering technique. A link with a .jpg termination accompanied by a thumbnail can look harmless enough to trick a lot of users into clicking on it.
Facebook and Websense are not the only ones with this problem. Google+ and Digg are also vulnerable to cloaking attacks, but other sites such as Twitter have developed strong protections against them.
Sign up for Computerworld eNewsletters.