Facebook Combats Spam, Clickjacking, With Four New Security Features
Facebook beefs up its security measures to ward off spammers, clickjackers and malware. Here's what you need to know about Facebook's latest efforts to protect users from malicious software.
Fri, May 13, 2011
These four additions aim to boost protective measures against scams, spam, clickjacking and malicious cross-site scripting. The new features also include a new partnership with a website-vetting company and login approvals. Here's what you need to know about Facebook's latest fight against malware.
Facebook Partners With "Web of Trust"
Web of Trust (WOT) is a free safe-surfing tool that tells you which websites you can trust based on crowd-sourced ratings supplied by other WOT community members.
While Facebook already has a system that automatically scans links to determine whether the sites are spammy or contain malware, Facebook's partnership with WOT will provide your account with an extra line of defense.
If you happen to click on a link that may contain spam or malware, a pop-up will appear that explains that the link you're trying to visit could be dangerous. You then have the option to proceed or return to the previous page.
Since WOT is a crowd-sourced application, its effectiveness depends on the number of people rating the safety of various websites. Facebook anticipates that getting its members to submit questionable sites to the list will help to "massively increase" WOT's coverage and security reach.
Updated Clickjacking Precautions
Since spammers tend to take advantage of browser vulnerabilities, they often try to trick users into clicking on bad links—also known as clickjacking. Spammers do this by overlaying the link with something enticing, such as a phony offer.
One such clickjacking worm that spread through Facebook's "Like" feature last year and affected hundreds of thousands of users had a message that said, "LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE."
Facebook has now built a clickjacking defense into its "Like" button to alert you if Facebook thinks you're being tricked. When Facebook detects something suspicious, you'll be asked to confirm your "Like" before Facebook posts the action to your profile and your friends' News Feeds.
If you have already clicked on a link to add something to the "Likes and Interests" section of your profile, you can always edit the field by clicking "Edit My Profile" and selecting "Likes and Interests" from the menu on the left.
Self "Cross-Site Scripting" (XSS) Protection
Another way spammers take advantage of browser weakness: by asking users to copy and paste malicious code into their address bar. This causes the browser to take actions on the malware's behalf, including posting status updates with phony links and sending spam messages to friends.