New Defenses Aim to Block Clickjacking
The Login Approvals feature can be turned on by going to the Account Security section of the Facebook account settings page, the company said. It's a "pity" Facebook won't let the security-conscious user require two-factor authentication on every login, Ducklin said. It would be "even nicer" if Facebook added a token-based option, and Ducklin said it would be reasonable to charge for it, as well. The token would allow users to enjoy the benefits of two-factor authentication without sharing their mobile phone number.As for the spam links spreading virally, Facebook said it had "built defenses" in the Facebook Like button to detect clickjacking and block links to known malicious sites. When users are posting a suspicious link to their profiles or friends' News Feeds, they will be prompted with a CAPTCHA window. The additional prompt ensures that the user really wants to post that link. The new "Self-XSS Protection" feature also prevents users from inadvertently being part of a cross-site scripting attack. Spammers ask people to copy and paste malicious code into their Web browser's address bar, which results in the browser doing some user tasks, such as posting phony links or spamming friends, Genzmer said. When the site detects that the user has pasted malicious code into the address bar, it will display a challenge window with information as to why it's a bad idea and to ask the user to confirm the user meant to do this, according to the blog post. "We are also working with the major browser companies to fix the underlying issue that allows spammers to do this," said Genzmer. Internet Explorer 9 has already put some protections in place, according to the blog post. And finally, the company has partnered with Web of Trust to analyze links posted on Facebook. Web of Trust relies on ratings supplied by other community members. While Facebook already has a system that automatically scans the millions of links posted on the site to determine whether they are "spammy or contain malware," Web of Trust will provide Facebook with a larger list of known malicious sites, Genzmer said. Facebook users will be able to help categorize links by using the Web of Trust add-on to leave their own rankings.
Many users remain leery of giving up their numbers after Facebook said it will let app developers get user addresses and phone numbers in February. After an uproar, the site "temporarily" suspended the program.