Facebook Revamps Pages Administrator Security Controls
Access controls will help prevent clickjacking attacks by allowing page managers to restrict others' administrator privileges.
Facebook this week gave administrators of Pages--its online offering for businesses and organizations--new security capabilities. They can now delegate restricted administrator rights to other people.
Facebook detailed the changes on its Admin Roles page, including the five new roles (listed in order of greatest to least access rights): manager, content creator, moderator, advertiser, and insights analyst.
More Security Insights
- Get Actionable Insight with Security Intelligence for Mainframe Environments
- How Attackers Identify and Exploit Software and Network Vulnerabilities
White PapersMore >>
"Facebook page managers have the power to send messages, view insights, and create posts and adverts. Crucially, they are also the only role which can access admin roles, and remove other administrators," said Graham Cluley, a senior technology consultant at Sophos, in a blog post. Each administrator must also be unique--that is, tied to a different person's Facebook page.
[ Facebook's security policies have changed greatly over time. Learn more about Facebook's History: From Dorm To IPO. ]
Pages are used by numerous businesses and personalities--including Lady Gaga, Justin Bieber, Coca-Cola, Disney, and MTV--as part of their online brand strategy. But they're also an attractive target for attackers since, if hijacked, they provide a one-stop shop for potentially scamming millions of Facebook users. "A Facebook page which has been hijacked could be used to spread malicious links, spam, or scams--all in your brand's name," said Cluley.
After hijacking a Facebook page, attackers will often launch a clickjacking--also known as likejacking--attack, which exploits various cross-site capabilities built into Facebook. Some attackers, for example, hide a link over the top of a Facebook "like" button, then trick a user into clicking the button. That, in turn, generates a status update on the user's Facebook page, including a link to the scam or malicious link, enticing others to click on it. Other attackers, meanwhile, abuse the "share" button functionality in similar ways.
With Facebook's access-control changes, however, even if attackers manage to hijack Facebook user accounts that include access rights to Pages, they'll find many fewer accounts that grant them all-inclusive access rights.
That change brings Pages in line with long-established information security best practices: only give people the least amount of access they need to do their job. "In the past, staff who simply wanted to access a Facebook page's admin panel to view statistics on how users were engaging with it, or running advertising campaigns, needed full admin rights--something which could be a disaster waiting to happen," said Cluley.
Restricting access, however, helps mitigate any fallout if the account gets compromised, or in the case of insiders who turn malicious, helps prevent sensitive data from being exfiltrated, or the Facebook Pages themselves from being sabotaged.
Whether the vector is a phishing scam, a lost iPod loaded with sensitive data, or an email-borne worm slithering through a public account, our Well-Meaning Employees--And How To Stop Them report gives you pointers on keeping well-meaning end users from blowing up your systems from the inside. (Free registration required.)