Networking

12:59 PM
Connect Directly
RSS
E-Mail
50%
50%

Facebook Revamps Pages Administrator Security Controls

Access controls will help prevent clickjacking attacks by allowing page managers to restrict others' administrator privileges.

Facebook this week gave administrators of Pages--its online offering for businesses and organizations--new security capabilities. They can now delegate restricted administrator rights to other people.

Facebook detailed the changes on its Admin Roles page, including the five new roles (listed in order of greatest to least access rights): manager, content creator, moderator, advertiser, and insights analyst.

"Facebook page managers have the power to send messages, view insights, and create posts and adverts. Crucially, they are also the only role which can access admin roles, and remove other administrators," said Graham Cluley, a senior technology consultant at Sophos, in a blog post. Each administrator must also be unique--that is, tied to a different person's Facebook page.

[ Facebook's security policies have changed greatly over time. Learn more about Facebook's History: From Dorm To IPO. ]

Pages are used by numerous businesses and personalities--including Lady Gaga, Justin Bieber, Coca-Cola, Disney, and MTV--as part of their online brand strategy. But they're also an attractive target for attackers since, if hijacked, they provide a one-stop shop for potentially scamming millions of Facebook users. "A Facebook page which has been hijacked could be used to spread malicious links, spam, or scams--all in your brand's name," said Cluley.

After hijacking a Facebook page, attackers will often launch a clickjacking--also known as likejacking--attack, which exploits various cross-site capabilities built into Facebook. Some attackers, for example, hide a link over the top of a Facebook "like" button, then trick a user into clicking the button. That, in turn, generates a status update on the user's Facebook page, including a link to the scam or malicious link, enticing others to click on it. Other attackers, meanwhile, abuse the "share" button functionality in similar ways.

With Facebook's access-control changes, however, even if attackers manage to hijack Facebook user accounts that include access rights to Pages, they'll find many fewer accounts that grant them all-inclusive access rights.

That change brings Pages in line with long-established information security best practices: only give people the least amount of access they need to do their job. "In the past, staff who simply wanted to access a Facebook page's admin panel to view statistics on how users were engaging with it, or running advertising campaigns, needed full admin rights--something which could be a disaster waiting to happen," said Cluley.

Restricting access, however, helps mitigate any fallout if the account gets compromised, or in the case of insiders who turn malicious, helps prevent sensitive data from being exfiltrated, or the Facebook Pages themselves from being sabotaged.

Whether the vector is a phishing scam, a lost iPod loaded with sensitive data, or an email-borne worm slithering through a public account, our Well-Meaning Employees--And How To Stop Them report gives you pointers on keeping well-meaning end users from blowing up your systems from the inside. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Deb Donston-Miller
50%
50%
Deb Donston-Miller,
User Rank: Apprentice
6/5/2012 | 10:08:59 AM
re: Facebook Revamps Pages Administrator Security Controls
Considering what companies have been doing on Facebook for a while now, these new features are a little late but much appreciated.

Deb Donston-Miller
Contributing Editor, The BrainYard
MiteshS598
50%
50%
MiteshS598,
User Rank: Apprentice
6/9/2013 | 8:11:11 AM
re: Facebook Revamps Pages Administrator Security Controls
I am no longer able to administer the fb page which I had created. It seems other admin must have removed admin role. Is there any way of getting the access back as I am the creator of the page.
Slideshows
Cartoon
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Twitter Feed