FAQ: Security and Facebook’s new messages system

Facebook messages security FAQ

Update 11 February, 2011: Facebook has announced that it is rolling out the new messages system to all users.

What follows is the article we wrote in November 2010, explaining the security implications of Facebook’s new messages system – with particular regard to malware and spam.

Earlier today Facebook announced its new messages system. Although widely anticipated to be a Gmail-killer (some even dubbed it “FMail”), it turned out to be somewhat different.

Here’s a quick FAQ of what we think you may want to know about it, and the implications for security.

What’s changed?
Facebook is bringing together traditional email, Facebook messages, instant messaging chat and SMS messages all into one place. They say this solves the problem of remembering that your Grandma isn’t on Facebook and prefers to receive an email, and that cousin Henry’s computer is broken so he’d prefer to get text messages.

Rather than remember how each person likes to be communicated with, now you will just message them via the Facebook service, and it will work out how to get the communication to them.

Will I get an @facebook.com email address?
If you’re on Facebook and you want one, then yes, you’ll be able to get one. It will take a few months for Facebook to roll out the service for all its users, however.

So, it’s just another form of email?
Not really. It’s actually more like sending a text or an instant message. The messages won’t have any subject lines, for instance. Furthermore, Facebook says it will store a complete history of all of your communications with one person in one place.

Can I choose my own email address?
You may be too late. If you already chose a public username on Facebook (for instance, facebook.com/publicusername) then that will be your email address too (publicusername@facebook.com).

Choosing a Facebook email address

But if my public username is public, doesn’t that mean anyone can find out my Facebook email address too?
Yes. Anyone will be able to work out your Facebook email address and send you a message. You will need to change your default privacy settings to block messages from unknown addresses.

Choose the “Friends Only” setting to ensure that only your Facebook friends can message you.

The 'Other' folder
How will Facebook sort through the messages?
Email from friends and their friends goes directly to your main messages folder, and everything else goes to the “Other” folder. Facebook says that spam and bulk email will automatically go to the “Other” folder, but it remains to be seen how effective that will be.

Also, they don’t say how they will deal with spam and malware sent from accounts belonging to your Facebook friends – which has become a significant problem in the last year.

What if I’m Facebook friends with someone and they try to email me from a non-Facebook address?
Facebook says that if a message comes from an email address that they can’t confirm as belonging to one of your friends they will block it – if you have selected the “Friends Only” setting.

Could I receive spam and malware via the new system?
Yes. The new features do increase the attack surface of the Facebook platform, and make the accounts of users all the more alluring for cybercriminals to break into.

Facebook accounts will now be linked with many more people in your social circle – opening up new opportunities for identity fraudsters to launch attacks. Furthermore, because Facebook will be storing a complete archive of all of your communications with one person – there will be concerns as to how such data could be misused if it fell into the wrong hands.

It will be critical for Facebook to implement more effective filtering mechanisms to prevent fraudsters from manipulating Facebook users into falling victim to new spams, scams and phishing attacks.

For instance, the new messaging system allows users to send not just links, photos, and videos to each other – but also external files such as documents and spreadsheets. These could be malware-infected or carry spam messages. It’s unclear at the moment whether Facebook will put any restrictions on the types of files that can be attached to messages.

Attaching a file

Meanwhile, users will need to take greater care of the security of their Facebook account then ever before. Keeping security up-to-date on computers, policing which applications link with their Facebook profile, and choosing sensible, unique, hard-to-crack passwords will be essential.

Facebook users mustn’t fool themselves into believing that they are safe as long as they only trust the messages sent to them by their Facebook friends, as those accounts can still be compromised by malicious hackers.

I don’t have to use Facebook if I don’t want to, right?
Right. But if you go around telling everyone your Facebook email address that’s going to make it a whole lot more difficult to quit Facebook in the future. This, no doubt, is part of Facebook’s strategy.

Next steps?
You can learn more about Facebook’s new messages system in the FAQ they have published on their site.

If you want to learn more about security threats on the social network and elsewhere on the internet, join the Sophos Facebook page.