When you use a messaging service like Facebook Messenger, you have a reasonable expectation that what you say is private and secure. But due to a quirk in how Facebook handles certain pieces of information, just about anyone who knows how to use Facebook’s developer API can view links that others have sent over Facebook Messenger.

In a post published to Medium, security researcher Inti De Ceukelaire explains how this works. Without getting too technical, every link you share—as well as just about anything else that’s ever been shared to Facebook—has an identification number of sorts assigned to it. As De Ceukelaire notes, “there’s absolutely nothing wrong with this. At least when this data is kept secret.”

De Ceukelaire tested to see if he could search for items by these identification numbers using the Facebook API developer tools. And while he got “access denied” errors in most cases, he discovered that he could access links shared on Facebook this way. With help from a friend, De Ceukelaire was able to verify what he found—and as it turns out, links don’t necessarily need to be made public to the wider world for someone to access them using this method. The pair also discovered that they were able to access links shared via Facebook Messenger.