Facebook Messages Security in Focus

Facebook's recent announcement could expand the security threat landscape for the site, some say. The social network shared with eWEEK how it is dealing with that.

When Facebook announced its plans Nov. 15 for its Messages feature, it opened the door to new questions about spam and security.

Once it is fully rolled out, the new Messages interface will weave together not only Facebook messages, but also chats, SMS (texts) and e-mails in a central location.

"You decide how you want to talk to your friends: via SMS, chat, e-mail or Messages," blogged Facebook engineer Joel Seligstein. "They will receive your message through whatever medium or device is convenient for them, and you can both have a conversation in real time. You shouldn't have to remember who prefers IM over e-mail or worry about which technology to use. Simply choose their name and type a message."

According to Facebook, this has all been engineered with security in mind. Part of that means extending existing privacy controls - users can control who can send them messages from the "Basic Directory Information" section of their "Privacy Settings" page. From there, users can select "View settings" and change the setting for "Send me messages."

"Only e-mails from people that fall within the message privacy setting you choose will be delivered to your Facebook message inbox," a Facebook spokesperson said. "For example, if you selected the 'Friends Only' setting, then messages from e-mail addresses that we can't determine belong to one of your friends will not get delivered to you. Instead, those senders will receive automatic bounce-back replies."

"When someone sends you a message on Facebook through SMS (or e-mail or chat), it works the same as any other message," the spokesperson continued. "Whatever privacy settings you have in place for who can send you messages will be respected no matter what mechanism they use to send you the message. You can block individual people if you do not want them to message you."

Still, the problem of spam could be a real one, noted Graham Cluley, senior technology consultant at Sophos. The e-mail address Facebook is providing users - which ends in @facebook.com - is trivial to work out because it will be based on people's public usernames, he said.

"It seems to me that the opportunities for bad guys to exploit Facebook users (are) going to increase, and that the damage that can be done will be greater," he said. "Imagine for instance, just how much data could be scooped up by accessing someone's Social Inbox, and being able to read all of the communications that ever occurred between two people - or how a compromised Facebook account could now be used to send messages external to the Facebook system."

The Social Inbox is where messages from a user's friends - and their friends' friends - will go by default. There is also an "Other" folder where additional messages will be stored.

"If someone you know isn't on Facebook, that person's e-mail will initially go into the Other folder," Seligstein blogged. "You can easily move that conversation into the Inbox, and all the future conversations with that friend will show up there. You can also change your account settings to be even more limited and bounce any e-mails that aren't exclusively from friends. This kind of message control is pretty unprecedented...Messages reverses the approach to preventing unwanted contact. Instead of having to worry about your e-mail address getting out, you're now in control of who can actually reach you."

Facebook did not say specifically how it would deal with the prospect of files being sent via e-mail, such as PDF documents. However, the company stated that it will take advantage of its existing spam-fighting technology and has contracted with an unnamed third party to supplement its security protections for the new Messages features.

"All Facebook users will need to be on their guard against having their accounts broken into, and maintain a solid (defense) against phishing, malware, spam and rogue applications," Cluley said. "Facebook itself will also be tested to see how well it can block malware attacks and spam campaigns in a timely fashion."