Sign in / up

back to article Tweet hackers reopen Twitter vuln

Twitter's tit-for-tat struggle against clickjackers continues. Two weeks after the micro-blogging site immunized its users against a fast-moving worm that caused them to unintentionally broadcast messages when they clicked on an innocuous-looking button, hackers have found a new way to exploit the clickjacking vulnerability. …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. Robert Simmons
    Thumb Down

    Safari 4...

    Unless Twitter or the poster has closed the bug, its not working when viewed with the Safari 4 beta...

    0 0
  2. Adrian Esdaile
    Coat

    saga?

    What, is it sung around log fires in Norse verse?

    Mines the one with the horns and big hammer.

    0 0
  3. Tom Graham

    Explaination

    Robert Simmons, the proof of concept purposely displays the iframe as it is not intended to cause any harm by tricking unsuspecting Twitter users. Is that what you meant by "not working in Safari 4?".

    "By the time we stumbled on his findings, the exploit no longer worked." - As far as I can tell the exploit still works. To clarify visiting http://m.twitter.com usually results in the mobile version of Twitter being displayed, however only until a user has selected the "Standard" view using the link at the bottom of each page. The exploit would then no longer work until the users cookies are cleared (as twitter seems to store the standard/mobile preference).

    0 0
  4. Moss Icely Spaceport
    Thumb Down

    Move along, nothing to see here...

    Twits hacking other twits who use twitter.

    Meh.

    0 0
  5. Edward Miles
    Stop

    Noscript...

    ...seems to stop this as well.

    0 0
  6. Anonymous Coward
    Anonymous Coward

    Would this work?

    Add some server-side code to the Twitter submission page to check the page referrer, and have a confirmation screen if the referrer isn't twitter.com.

    0 0
  7. Stephen

    flicker

    Uh how about twitter stop auto filling the status field when it's passed in a GET request ? That's a good fecking start!

    0 0
  8. Peter Mc Aulay
    Flame

    Javascript

    This sounds like these epic cretins are relying on javascript to fix security problems. I'm sorry, what? What drugs are they on, and where can I get some?

    0 0
This topic is closed for new posts.

Other stories you might like