Facebook is launching several new security features today designed to protect users from malware and from getting their accounts hijacked.
First, the site will display warnings when users are about to be duped by clickjacking and cross-site scripting attacks in which they think they are following a link to an interesting news story or taking action to see a video and instead end up spamming their friends.
For example, a scam was circulating yesterday in which Facebook users were inadvertently commenting on what looked like a news site with details of the iPhone 5. Clicking on the link leads to a page with a captcha window and if it is clicked the spam is then spread on a user's Facebook page. Another one was spreading today that urged people to verify their accounts by clicking on something. Facebook was quickly removing those posts.
Both types of attacks take advantage of a vulnerability in the Web browser, and Facebook says it is working with the major browser companies to fix the underlying issue. Internet Explorer 9 already has some protections against this in place.
But now, Facebook will display a warning to users if it detects that suspicious activity is going on behind the scenes. To block clickjacking, the site will ask users to confirm their "like" before posting a story to their profile and their friends' News Feeds. And to prevent XSS attacks, Facebook will ask users to confirm that they meant to take the action.
Facebook also is offering two-factor authentication called "Login Approvals," which if turned on will require users to enter a code whenever they log into the site from a new or unrecognized device. The code is sent via text message to the user's mobile phone.
Finally, Facebook is partnering with the free Web of Trust safe surfing service to give Facebook users more information about the sites they are linking to from the social network. When a user clicks on a potentially malicious link, a warning box will appear that gives more information about why the site might be dangerous. The user can either ignore the warning or go back to the previous page.
The information from Web of Trust, which has rated more than 31 million sites, is in addition to Facebook's internal black list of sites that it blocks users from sharing.