Feeds

Tweet hackers reopen Twitter vuln

Clickjack tit-tat

Top 5 reasons to deploy VMware with Tegile

Twitter's tit-for-tat struggle against clickjackers continues.

Two weeks after the micro-blogging site immunized its users against a fast-moving worm that caused them to unintentionally broadcast messages when they clicked on an innocuous-looking button, hackers have found a new way to exploit the clickjacking vulnerability.

The latest attack comes from UK-based web developer Tom Graham, who discovered that the fix Twitter rolled out wasn't applied to the mobile phone section of the site. By the time we stumbled on his findings, the exploit no longer worked. But security consultant Rafal Los sent us a minor modification that sufficiently pwned a dummy account we set up for testing purposes.

"The mobile site currently has no javascript on it at all, which is probably for a good reason as most mobile phones don't support it," Graham writes. "So it begs the question, how should Twitter prevent this click-jacking exploit?"

Screenshot of clickjacking page

Click "Yes" Here ...

Screenshot of clickjacked Twitter page

And this is what you get here

The proof-of-concept page presents the user with the question "Do you have a tiny face?" along with buttons to answer "yes" or "no." Choosing the affirmative while logged in to Twitter causes the account to publicly declare: "I have a tiny face, do you?" and then include a link to Graham's post.

The exploit is the latest reason to believe that clickjacking, on Twitter and elsewhere, is here to stay, at least until HTML specifications are rewritten. No doubt web developers will continue to come up with work-arounds, but hackers can just as quickly find new ways to exploit the vulnerability, it seems.

That's because clickjacking attacks a fundamental design of HTML itself. It's pulled off by hiding the target URL within a specially designed iframe that's concealed by a decoy page that contains submission buttons. Virtually every website and browser is susceptible to the technique.

Two weeks ago, Twitter was able to stifle the attacks by adding code to its site that changed its pages' location. That required the use of javascript that wasn't added to Twitter pages browsed by mobile users, presumably because they may have caused some older handsets not to work.

Readers of Graham's site already have zeroed in on a fix for the problem, but Los isn't sure it's foolproof. That's because it, too, is based on javascript, so it won't be effective against HTML-based attacks. Stay tuned. The clickjacking saga continues. ®

Update

Twitter web developers closed the hole within a few hours of this story being published.

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.