Peaches Posted February 14, 2009 Report Share Posted February 14, 2009 Twitter attack exposes awesome power of clickjacking Hard to stop, harder to resist By Dan Goodin in San Francisco 13th February 2009 19:56 GMT A worm that forced a wave of people to unintentionally broadcast messages on microblogging site Twitter shows the potential of a vulnerability known as clickjacking to dupe large numbers of internet users into installing malware or visiting malicious pages without any clue they're being attacked. The outbreak was touched off by tweets that led Twitter readers to a button labeled "Don't click." Gullible users (including your reporter) who clicked on the button automatically posted messages that posted yet more tweets advertising the link. The attacks persisted even after Twitter added countermeasures to its site and proclaimed the issued fixed. The attack exploited a vulnerability at the core of the web that allows webmasters to trick users into clicking on one link even though the underlying HTML code appears to show it leads elsewhere. The so-called clickjacking exploit is pulled off by superimposing an invisible iframe over a button or link. Virtually every website and browser is susceptible to the technique. Quote Link to post Share on other sites
Peaches Posted February 14, 2009 Author Report Share Posted February 14, 2009 February 13, 2009 11:46 AM PST Twitter fends off second clickjacking attack by Elinor Mills Twitter fended off a second clickjacking attack on Thursday night as the popular microblogging site plays cat-and-mouse with a prankster, the site confirmed on Friday. "Yes, there was a second approach later in the day, same story as the first but with a slightly modified technique," Twitter co-founder Biz Stone wrote in an e-mail. "We took care of that too. Every day we're finding ways to improve the system." "It's a convoluted cat-and-mouse game," Jeremiah Grossman, chief technology officer of WhiteHat Security, said earlier on Friday. "At least for the moment, Twitter is winning." Twitter users first noticed the clickjacking prank on Thursday and later that day Twitter had shut it down. Tweets were popping up that said "Don't Click" followed by a link. Clicking the link took the user to a page that included a button that said "Don't Click." Clicking the button automatically distributed the identical tweet. As you can imagine, this spread pretty quickly. Cnet for full details: http://news.cnet.com/security/ Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.