Duping Twats*
Shurely that happened once they signed up for the service?
*The name affectionately given to users of the Twatter online timewasting service.
A worm that forced a wave of people to unintentionally broadcast messages on microblogging site Twitter shows the potential of a vulnerability known as clickjacking to dupe large numbers of internet users into installing malware or visiting malicious pages without any clue they're being attacked. The outbreak was touched off …
Not even a passing mention of NoScript?
Not even a sarcastic aside intended to preempt smug comments like this from Firefox users with the (apparently not ubiquitous enough) plugin?
Of course, such users have been protected from click-jacking since a couple of days after the original discovery of the exploit.
C'mon, El Reg, our snark-o-meters are in need of more of a workout!
"The attack exploited a vulnerability at the core of the web that allows webmasters to trick users into clicking on one link even though the underlying HTML code appears to show it leads elsewhere...Virtually every website and browser is susceptible to the technique."
Seems more like a problem with rendering, and that I would have no problems with this on, say, Lynx. Hardly a vuln at the core of the web. Also it's pretty hard to attack a webpage that doesn't allow user-submitted HTML content, which must be a large portion of webpages?
"Another great security fiasco: The IFrame."
Microsoft? No, I read on their website somewhere that was an Apple contrivance, like everything else beginning with an "I"
"It's a shame that Microsoft only recently got interested in security."
Surely, "Microsoft" and "security" used in the same sentence is an oxymoron.
"Of course, such users have been protected from click-jacking since a couple of days after the original discovery of the exploit."
The sploit was all over in a matter of hours once tinyurl marked the URL used as spam. A few days later? Well, that'd be when El Reg reported on it. :)
"Don't Click" evolved from the French "Truc du Jour" click-jacker that used the same technique the day before: http://dropbox.23x.net/tdj.html
1) for using Twitter
2) for going to random links that get thrown your way (*)
(*) the amount of people that just follow ervey random link they get
sent via email, popups, AIM etc is incredible.... its like goldfish all
desperately lunging after the flakes of fishfood thrown into a tank..
Well, sorry I was not as precise as I should have been.
"Of course, such users have been protected from click-jacking since a couple of days after the original discovery of the exploit."
This sentence referred to the first instances of the clickjacking discussions back in September 2008. http://www.pcworld.idg.com.au/article/260609/adobe_request_hackers_nix_clickjacking_talk
NoScript users were protected by default if they simply checked the "Forbid <IFRAME>" option.
Soon after the clickjacking proofs of concept were published, the NoScript plugin authors incorporated a feature called "ClearClick". This feature works independently of the IFRAME blocking method. http://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/
Mine's the one with the scripting pockets sewn up...
iframes were a Microsoft bodge.
http://en.wikipedia.org/wiki/Iframe
"First introduced by Microsoft Internet Explorer in 1997 and long only available in that browser, iframes eventually became supported by all major brands."
Not sure if you were being ironic - but thought I set things straight.
....proof that something which says "Do not push the big red button" will result in people doing exactly that. So when the "Your computer is infected....download the xyz antispyware now!" fails, they just put a button that says "Don't click this" or something similar, and thousands of normally sensible people will abandon their common sense and click it!!
Mind you, I'd probably have clicked it too, if I'd ever been on Twitter.
Were you all abused as children by twitter or something? Terrified of birds perhaps? Do we really need to have the "Hurr durr twitter is for retards" discussion every time it's mentioned in an article? It's getting as tired as the Vista bashing that follows every artical even tangentially related to Microsoft.
I think I'm missing something too.
Most of these "clickjacking" type "exploits" just sound like social engineering to me rather than anything technical that needs fixing.
I'm willing to be proved wrong though -- if someone comes up with a way of making a link on <insert random social networking site> that logs me in to an online store and sends things to someone else's address with my money, or siphons my bank account by logging me into online banking.