Feeds

Twitter attack exposes awesome power of clickjacking

Hard to stop, harder to resist

Beginner's guide to SSL certificates

A worm that forced a wave of people to unintentionally broadcast messages on microblogging site Twitter shows the potential of a vulnerability known as clickjacking to dupe large numbers of internet users into installing malware or visiting malicious pages without any clue they're being attacked.

The outbreak was touched off by tweets that led Twitter readers to a button labeled "Don't click." Gullible users (including your reporter) who clicked on the button automatically posted messages that posted yet more tweets advertising the link. The attacks persisted even after Twitter added countermeasures to its site and proclaimed the issued fixed.

The attack exploited a vulnerability at the core of the web that allows webmasters to trick users into clicking on one link even though the underlying HTML code appears to show it leads elsewhere. The so-called clickjacking exploit is pulled off by superimposing an invisible iframe over a button or link. Virtually every website and browser is susceptible to the technique. Technical details are available here.

"Before, it was more theoretical," security researcher Jeremiah Grossman said of clickjacking. "Now, this is evidence that it can be used and it's only a matter of time before it's used maliciously."

Grossman, who is CTO of web-security firm WhiteHat Security, first sounded the clickjacking alarm in September, along with Robert "RSnake" Hansen, CEO of secTheory.com. They say it can be used to trick users into believing a link leads to, say, Google when in fact it leads to a money-transfer page, a banner advertisement that's part of a click-fraud scheme, or any other page an attacker chooses.

Their research has led to security updates in Adobe's Flash software, but clickjacking remains a threat on virtually every platform, browser, and website, they warn. More recently, Microsoft has added anti-clickjacking protections to its Internet Explorer 8 browser, which is currently in beta. While that's a step in the right direction, some critics have contended the protection will be ineffective because it will require millions of websites to update their pages with proprietary code.

The Twitter attack lends some credence to claims that clickjacking will be hard to stop. Twitter developers on Thursday added code to its pages that were designed to neutralize frames placed in Twitter pages by changing the pages' location. "Problem should be gone," Twitter's network operations manager declared shortly afterward. Within hours, the exploit code had been modified to work around the countermeasure.

Twitter has once again managed to block the attack, but we're confident this isn't the last we'll hear of clickjacking on that site - and plenty of others. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
SHELLSHOCKED: Fortune 1000 outfits Bash out batches of patches
CloudPassage points to 'pervasive' threat of Bash bug
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.