X

Facebook adds new user security features

Warnings will pop up to block malware attacks, while security codes via text messages can be used for new device log-ins.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

This is the type of warning you will see if Facebook detects a type of malware attack that requires user action.
This is the type of warning you will see if Facebook detects a type of malware attack that requires user action.

Facebook is launching several new security features today designed to protect users from malware and from getting their accounts hijacked.

First, the site will display warnings when users are about to be duped by clickjacking and cross-site scripting attacks in which they think they are following a link to an interesting news story or taking action to see a video and instead end up spamming their friends.

For example, a scam was circulating yesterday in which Facebook users were inadvertently commenting on what looked like a news site with details of the iPhone 5. Clicking on the link leads to a page with a captcha window and if it is clicked the spam is then spread on a user's Facebook page. Another one was spreading today that urged people to verify their accounts by clicking on something. Facebook was quickly removing those posts.

In cross-site scripting (XSS) attacks, people are often asked to cut and paste Javascript or another type of code into their browser Web address bar in order to see a video or get a free product, for instance. But the code ends up doing something else entirely.

Both types of attacks take advantage of a vulnerability in the Web browser, and Facebook says it is working with the major browser companies to fix the underlying issue. Internet Explorer 9 already has some protections against this in place.

But now, Facebook will display a warning to users if it detects that suspicious activity is going on behind the scenes. To block clickjacking, the site will ask users to confirm their "like" before posting a story to their profile and their friends' News Feeds. And to prevent XSS attacks, Facebook will ask users to confirm that they meant to take the action.

Facebook also is offering two-factor authentication called "Login Approvals," which if turned on will require users to enter a code whenever they log into the site from a new or unrecognized device. The code is sent via text message to the user's mobile phone.

Facebook is now warning users when a link they are clicking on appears to lead to malware.
Facebook is now warning users when a link they are clicking on appears to lead to malware.

Finally, Facebook is partnering with the free Web of Trust safe surfing service to give Facebook users more information about the sites they are linking to from the social network. When a user clicks on a potentially malicious link, a warning box will appear that gives more information about why the site might be dangerous. The user can either ignore the warning or go back to the previous page.

The information from Web of Trust, which has rated more than 31 million sites, is in addition to Facebook's internal black list of sites that it blocks users from sharing.