Facebook isn’t nearly as vulnerable to XSS attacks since embedding code in your page is not a major part of the experience. The biggest Facebook attack so far - the Koobface worm (artist’s impression above) - instead relied on users clicking a link in a Facebook message and visiting a site to download a file. Other attacks relied upon users entering their Facebook login details on third party sites.

Twitter, however, was vulnerable to XSS attacks because hackers realized that you could place rogue code into the “location” field of a profile - this was a major security hole since it required nothing more than visiting a page to get your account compromised. In addition, Twitter’s viral nature dramatically increased the speed the attack was able to spread at. However, Twitter now claims to have closed this hole.

Facebook is also much safer than email: when a phishing link is found, Facebook can disable it centrally, removing it from all messages across the site. The difference is that we’ve learned to be cautious about links in emails, while we’ve learned to be very trusting of links in Facebook messages from friends. The Facebook threat is a trust issue, not a technical one with the Facebook site.

So while Facebook attacks might seem unpleasant, take comfort in the fact that Facebook is much more secure than what came before it.