While websites can take many steps to ensure their own code is secure, there’s often no way to completely prevent malicious code running on client computers from abusing stolen website credentials. That’s exactly the type of problem Facebook’s security team has been dealing with over the past two days, as at least two variants on new worms have been spreading to thousands of users across the site.
Responding to the situation, Facebook’s Head of Security Max Kelly said in the company blog earlier tonight,
We spent most of last night working on a fix for a worm, which was targeting people on Facebook and placing messages on Walls urging users to view a video that pretends to be hosted on a Google or YouTube website. We’ve identified and blocked the ability to link to the malicious websites from anywhere on Facebook. Less than .002 percent of people on Facebook have been affected, all of whom we notified and suggested steps to remove the malware.
Kelly encourages Facebook users to never share their password and report any suspicious activity.
While Facebook hasn’t experienced widespread worm abuse in the past, it must continue to invest in early-warning detection systems to shut down these kinds of attacks before they spread very far in order to preserve the trust users place in the company to manage and store great amounts of personal information.