Facebook has introduced new mechanisms designed to prevent clickjacking and rogue code pasting tricks commonly used in survey scams.The scam prevention measures were revealed in a post on the Facebook Security page announcing various security-related changes on the platform.
Clickjacking is a type of attack that leverages a design flaw in the way browsers work which allows attackers to make a button invisible and overlap it with another harmless element by using legit web programming techniques.
In such attacks users believe they're performing legit actions when it fact their clicks are hijacked and used to perform unauthorized ones.
On Facebook this technique is used by scammers to trick users into sharing spam messages on their walls and liking rogue pages.
"We have built defenses to detect clickjacking of the Facebook Like button and to block links to known clickjacking pages. Recently, we improved our systems to also alert people if we think they’re being tricked.
"Now, when we detect something suspicious, we’ll ask you to confirm your like before posting a story to your profile and your friends’ News Feeds," the company explains.
The code piggybacks on people's active Facebook sessions to perform an unauthorized action. The company has developed an anti-XSS filter designed specifically to catch this type of abuse.
"Now, when our systems detect that someone has pasted malicious code into the address bar, we will show a challenge to confirm that the person meant to do this as well as provide information on why it’s a bad idea," Facebook said.
Of course, users should learn to spot these scams and steer clear off them before Facebook's systems are needed, because no protection mechanism is as good as common sense.