Facebook is launching several new security features today designed to protect users from malware and from getting their accounts hijacked.
First, the site will display warnings when users are about to be duped by clickjacking and cross-site scripting attacks in which they think they are following a link to an interesting news story or taking action to see a video and instead end up spamming their friends.
For example, a scam was circulating yesterday in which Facebook users were inadvertently commenting on what looked like a news site with details of the iPhone 5. Clicking on the link leads to a page with a captcha window and if it is clicked the spam is then spread on a user's Facebook page. Another one was spreading today that urged people to verify their accounts by clicking on something. Facebook was quickly removing those posts.
In cross-site scripting (XSS) attacks, people are often asked to cut and paste Javascript or another type of code into their browser Web address bar in order to see a video or get a free product, for instance. But the code ends up doing something else entirely.
Both types of attacks take advantage of a vulnerability in the Web browser, and Facebook says it is working with the major browser companies to fix the underlying issue. Internet Explorer 9 already has some protections against this in place.
But now, Facebook will display a warning to users if it detects that suspicious activity is going on behind the scenes. To block clickjacking, the site will ask users to confirm their "like" before posting a story to their profile and their friends' News Feeds. And to prevent XSS attacks, Facebook will ask users to confirm that they meant to take the action.
Facebook also is offering two-factor authentication called "Login Approvals," which if turned on will require users to enter a code whenever they log into the site from a new or unrecognized device. The code is sent via text message to the user's mobile phone.
First, the site will display warnings when users are about to be duped by clickjacking and cross-site scripting attacks in which they think they are following a link to an interesting news story or taking action to see a video and instead end up spamming their friends.
For example, a scam was circulating yesterday in which Facebook users were inadvertently commenting on what looked like a news site with details of the iPhone 5. Clicking on the link leads to a page with a captcha window and if it is clicked the spam is then spread on a user's Facebook page. Another one was spreading today that urged people to verify their accounts by clicking on something. Facebook was quickly removing those posts.
In cross-site scripting (XSS) attacks, people are often asked to cut and paste Javascript or another type of code into their browser Web address bar in order to see a video or get a free product, for instance. But the code ends up doing something else entirely.
Both types of attacks take advantage of a vulnerability in the Web browser, and Facebook says it is working with the major browser companies to fix the underlying issue. Internet Explorer 9 already has some protections against this in place.
But now, Facebook will display a warning to users if it detects that suspicious activity is going on behind the scenes. To block clickjacking, the site will ask users to confirm their "like" before posting a story to their profile and their friends' News Feeds. And to prevent XSS attacks, Facebook will ask users to confirm that they meant to take the action.
Facebook also is offering two-factor authentication called "Login Approvals," which if turned on will require users to enter a code whenever they log into the site from a new or unrecognized device. The code is sent via text message to the user's mobile phone.