Facebook Combats Spam, Clickjacking With New Features
One day after Symantec uncovered an alleged privacy breach, Facebook released four new features to its security suite, unrelated to the discovery.
These four additions aim to boost protective measures against scams, spam, clickjacking and malicious cross-site scripting. The new features also include a new partnership with a website-vetting company and login approvals. Here's what you need to know about Facebook's latest fight against malware.
Facebook Partners With "Web of Trust"
Web of Trust (WOT) is a free safe-surfing tool that tells you which websites you can trust based on crowd-sourced ratings supplied by other WOT community members.
While Facebook already has a system that automatically scans links to determine whether the sites are spammy or contain malware, Facebook's partnership with WOT will provide your account with an extra line of defense.
If you happen to click on a link that may contain spam or malware, a pop-up will appear that explains that the link you're trying to visit could be dangerous. You then have the option to proceed or return to the previous page.
Since WOT is a crowd-sourced application, its effectiveness depends on the number of people rating the safety of various websites. Facebook anticipates that getting its members to submit questionable sites to the list will help to "massively increase" WOT's coverage and security reach.
Updated Clickjacking Precautions
Since spammers tend to take advantage of browser vulnerabilities, they often try to trick users into clicking on bad links--also known as clickjacking. Spammers do this by overlaying the link with something enticing, such as a phony offer.
One such clickjacking worm that spread through Facebook's "Like" feature last year and affected hundreds of thousands of users had a message that said, "LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE."
Facebook has now built a clickjacking defense into its "Like" button to alert you if Facebook thinks you're being tricked. When Facebook detects something suspicious, you'll be asked to confirm your "Like" before Facebook posts the action to your profile and your friends' News Feeds.
If you have already clicked on a link to add something to the "Likes and Interests" section of your profile, you can always edit the field by clicking "Edit My Profile" and selecting "Likes and Interests" from the menu on the left.
Self "Cross-Site Scripting" (XSS) Protection
Another way spammers take advantage of browser weakness: by asking users to copy and paste malicious code into their address bar. This causes the browser to take actions on the malware's behalf, including posting status updates with phony links and sending spam messages to friends.
You've probably seen Facebook friends post apologies more than once to their profile for unknowingly posting spam on friends' walls and warning others not to click it.
Now, when Facebook's systems detect that you have posted malicious code into your address bar, Facebook will display a popup confirming that you meant to do this, and will provide information on why it's a bad idea.
Advanced Login Approvals
Facebook's new "Login Approvals" function is now available to everyone. The feature is optional--but recommended for all Facebook users--and uses two-factor authentication. That means, if you choose to use it, whenever you log in to Facebook from a new device, you'll be required to also enter a code they send to your mobile phone via text message.
If Facebook sees a login attempt from a device that you haven't saved, you'll be notified the next time you log in. If you don't recognize the login, you can then change your password.
Kristin Burnham covers consumer technology, social networking and Web 2.0 for CIO.com. Follow Kristin on Twitter @kmburnham. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Kristin at firstname.lastname@example.org