1
Facebooks crawls every page recorded by its tracking pixel
So yesterday we figured out that facebooks Facebot crawler will crawl _every_ url that was recorded by their tracking pixel.
I find this highly concerning since:
1. they are crawling potentially sensitive information granted by links with tokens
2. they are triggering potentially harmful and/or confusing actions in your website by repeating links
3. they are repeating requests in a broken way by not encoding url-parameters correctly, for instance url-encoded %2B ends up just as a "+" thus becoming a whitespace (same goes for slashes etc.)
4. I could not find a warning or note on their tracking-pixel documentation that pages tracked would be crawled later