back to article Twitter attack exposes awesome power of clickjacking

A worm that forced a wave of people to unintentionally broadcast messages on microblogging site Twitter shows the potential of a vulnerability known as clickjacking to dupe large numbers of internet users into installing malware or visiting malicious pages without any clue they're being attacked. The outbreak was touched off …

COMMENTS

This topic is closed for new posts.
  1. Charlie Clark Silver badge
    Joke

    Duping Twats*

    Shurely that happened once they signed up for the service?

    *The name affectionately given to users of the Twatter online timewasting service.

  2. Anonymous Coward
    Anonymous Coward

    CyberSub

    "Issue fixed" I think you will find.

    "Twitter added countermeasures to its site and proclaimed the issued fixed."

  3. Jodo Kast
    Coat

    Invisible IFrames: From Microsoft

    Another great security fiasco: The IFrame.

    It's a shame that Microsoft only recently got interested in security.

  4. Anonymous Coward
    Anonymous Coward

    welcome to the snake pit

    read the analysis, it looks as though turning off javascript will sort it out?

  5. Mark Zip
    Dead Vulture

    Umm, NoScript?

    Not even a passing mention of NoScript?

    Not even a sarcastic aside intended to preempt smug comments like this from Firefox users with the (apparently not ubiquitous enough) plugin?

    Of course, such users have been protected from click-jacking since a couple of days after the original discovery of the exploit.

    C'mon, El Reg, our snark-o-meters are in need of more of a workout!

  6. Anonymous Coward
    Anonymous Coward

    @ Jodo Kast

    "It's a shame that Microsoft only recently got interested in security."

    0_o They did? Why wasn't anyone told?

  7. Anonymous Coward
    Joke

    LOL

    The web is such a joke. Its like a networked MS application that everyone has to play with. Oh hang on, with IE used by most, I guess it really is :-)

    Only solution.

    A complete new system, built with security in mind. How about we call it 'Scissors.'

    [Snip]

  8. Anonymous Coward
    Dead Vulture

    Enough with the FUD

    "The attack exploited a vulnerability at the core of the web that allows webmasters to trick users into clicking on one link even though the underlying HTML code appears to show it leads elsewhere...Virtually every website and browser is susceptible to the technique."

    Seems more like a problem with rendering, and that I would have no problems with this on, say, Lynx. Hardly a vuln at the core of the web. Also it's pretty hard to attack a webpage that doesn't allow user-submitted HTML content, which must be a large portion of webpages?

  9. Danny Thompson
    Gates Horns

    IFrames? Microsoft? WTF??

    "Another great security fiasco: The IFrame."

    Microsoft? No, I read on their website somewhere that was an Apple contrivance, like everything else beginning with an "I"

    "It's a shame that Microsoft only recently got interested in security."

    Surely, "Microsoft" and "security" used in the same sentence is an oxymoron.

  10. Jared Earle
    Heart

    @Mark Zip

    "Of course, such users have been protected from click-jacking since a couple of days after the original discovery of the exploit."

    The sploit was all over in a matter of hours once tinyurl marked the URL used as spam. A few days later? Well, that'd be when El Reg reported on it. :)

    "Don't Click" evolved from the French "Truc du Jour" click-jacker that used the same technique the day before: http://dropbox.23x.net/tdj.html

  11. Richard Porter

    "Virtually every web site and browser"?

    Not if it doesn't do iframes or javascript, and does show the underlying link before you click.

  12. Anonymous Coward
    Flame

    serves you right

    1) for using Twitter

    2) for going to random links that get thrown your way (*)

    (*) the amount of people that just follow ervey random link they get

    sent via email, popups, AIM etc is incredible.... its like goldfish all

    desperately lunging after the flakes of fishfood thrown into a tank..

  13. Mark Zip
    Coat

    @Jared Earle

    Well, sorry I was not as precise as I should have been.

    "Of course, such users have been protected from click-jacking since a couple of days after the original discovery of the exploit."

    This sentence referred to the first instances of the clickjacking discussions back in September 2008. http://www.pcworld.idg.com.au/article/260609/adobe_request_hackers_nix_clickjacking_talk

    NoScript users were protected by default if they simply checked the "Forbid <IFRAME>" option.

    Soon after the clickjacking proofs of concept were published, the NoScript plugin authors incorporated a feature called "ClearClick". This feature works independently of the IFRAME blocking method. http://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/

    Mine's the one with the scripting pockets sewn up...

  14. Tom

    Only solution.

    A complete new system, built with security in mind. How about we call it 'Scissors.'

    But we can't run with that.

  15. Kevin Bailey

    @Danny Thompson

    iframes were a Microsoft bodge.

    http://en.wikipedia.org/wiki/Iframe

    "First introduced by Microsoft Internet Explorer in 1997 and long only available in that browser, iframes eventually became supported by all major brands."

    Not sure if you were being ironic - but thought I set things straight.

  16. Moss Icely Spaceport
    Thumb Up

    Collective noun for Twitter users?

    Why, Twits of course!

    (AKA: numpties)

  17. Neoc

    I must be missing something

    Whenever I see a link, I hover over it and look at the URI at the bottom of the browser. Does an iFrame somehow spoof that as well, or are people simply stupid.

    Yes, I realise this is not an XOR question.

  18. Andy Worth

    Yet another....

    ....proof that something which says "Do not push the big red button" will result in people doing exactly that. So when the "Your computer is infected....download the xyz antispyware now!" fails, they just put a button that says "Don't click this" or something similar, and thousands of normally sensible people will abandon their common sense and click it!!

    Mind you, I'd probably have clicked it too, if I'd ever been on Twitter.

  19. Anonymous Coward
    Anonymous Coward

    Deity of choice here

    Were you all abused as children by twitter or something? Terrified of birds perhaps? Do we really need to have the "Hurr durr twitter is for retards" discussion every time it's mentioned in an article? It's getting as tired as the Vista bashing that follows every artical even tangentially related to Microsoft.

  20. Cameron Colley

    RE: I must be missing something

    I think I'm missing something too.

    Most of these "clickjacking" type "exploits" just sound like social engineering to me rather than anything technical that needs fixing.

    I'm willing to be proved wrong though -- if someone comes up with a way of making a link on <insert random social networking site> that logs me in to an online store and sends things to someone else's address with my money, or siphons my bank account by logging me into online banking.

  21. TeeCee Gold badge
    Happy

    @Andy Worth

    I think what you're trying to say is:

    "What happens if I push this button?"

    "I wouldn't....."

    <Bing>

    "Oh."

    "What happened?"

    "A little sign lit up saying: 'Please do not push this button again'.".

This topic is closed for new posts.

Other stories you might like