Clickjacking Exploited On Microblogging Website Twitter.com

February 13th, 2009

Clickjacking Exploited On Microblogging Website Twitter.com

A worm that forced a wave of people to unintentionally broadcast messages on microblogging site Twitter shows the potential of a vulnerability known as clickjacking to dupe large numbers of internet users into installing malware or visiting malicious pages without any clue they’re being attacked.

The outbreak was touched off by tweets that led Twitter readers to a button labeled “Don’t click.” Gullible users who clicked on the button automatically posted messages that posted yet more tweets advertising the link. The attacks persisted even after Twitter added countermeasures to its site and proclaimed the issued fixed.

The attack exploited a vulnerability at the core of the web that allows webmasters to trick users into clicking on one link even though the underlying HTML code appears to show it leads elsewhere. The so-called clickjacking exploit is pulled off by superimposing an invisible iframe over a button or link. Virtually every website and browser is susceptible to the technique. Technical details are available here.

“Before, it was more theoretical,” security researcher Jeremiah Grossman said of clickjacking. “Now, this is evidence that it can be used and it’s only a matter of time before it’s used maliciously.”

Grossman, who is CTO of web-security firm WhiteHat Security, first sounded the clickjacking alarm in September, along with Robert “RSnake” Hansen, CEO of secTheory.com. They say it can be used to trick users into believing a link leads to, say, Google when in fact it leads to a money-transfer page, a banner advertisement that’s part of a click-fraud scheme, or any other page an attacker chooses.

Their research has led to security updates in Adobe’s Flash software, but clickjacking remains a threat on virtually every platform, browser, and website, they warn. More recently, Microsoft has added anti-clickjacking protections to its Internet Explorer 8 browser, which is currently in beta. While that’s a step in the right direction, some critics have contended the protection will be ineffective because it will require millions of websites to update their pages with proprietary code.

The Twitter attack lends some credence to claims that clickjacking will be hard to stop. Twitter developers on Thursday added code to its pages that were designed to neutralize frames placed in Twitter pages by changing the pages’ location. “Problem should be gone,” Twitter’s network operations manager declared shortly afterward. Within hours, the exploit code had been modified to work around the countermeasure.

Credit: The Register

Share this item with others:

More on CyberInsecure:

Facebook Users Can Be Forced Into Liking Arbitrary Pages Through Clickjacking

PC Webcams Might Be Abused Through Clickjacking To Silently Spy On Users

Researchers discover new cross-browser exploit that affects all major desktop platforms

Clickjacking Worm Hits Facebook, Hundreds Of Thousands Affected

Facebook Hit With A New Clickjacking Worm

Posted in Breaches And Incidents, Social Networks, Spam, Vulnerabilities |

Print This Post

This entry was posted on Friday, February 13th, 2009 at 9:24 pm and is filed under Breaches And Incidents, Social Networks, Spam, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

If you found this information useful, consider linking to it from your own website.
Just copy and paste the code below into your website (Ctrl+C to copy)
It will look like this: Clickjacking Exploited On Microblogging Website Twitter.com

Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.