Shurely that happened once they signed up for the service?

*The name affectionately given to users of the Twatter online timewasting service.

Another great security fiasco: The IFrame.

It's a shame that Microsoft only recently got interested in security.

Not even a passing mention of NoScript?

Not even a sarcastic aside intended to preempt smug comments like this from Firefox users with the (apparently not ubiquitous enough) plugin?

Of course, such users have been protected from click-jacking since a couple of days after the original discovery of the exploit.

C'mon, El Reg, our snark-o-meters are in need of more of a workout!

The web is such a joke. Its like a networked MS application that everyone has to play with. Oh hang on, with IE used by most, I guess it really is :-)

Only solution.

A complete new system, built with security in mind. How about we call it 'Scissors.'

[Snip]

"The attack exploited a vulnerability at the core of the web that allows webmasters to trick users into clicking on one link even though the underlying HTML code appears to show it leads elsewhere...Virtually every website and browser is susceptible to the technique."

Seems more like a problem with rendering, and that I would have no problems with this on, say, Lynx. Hardly a vuln at the core of the web. Also it's pretty hard to attack a webpage that doesn't allow user-submitted HTML content, which must be a large portion of webpages?

"Another great security fiasco: The IFrame."

Microsoft? No, I read on their website somewhere that was an Apple contrivance, like everything else beginning with an "I"

"It's a shame that Microsoft only recently got interested in security."

Surely, "Microsoft" and "security" used in the same sentence is an oxymoron.

"Of course, such users have been protected from click-jacking since a couple of days after the original discovery of the exploit."

The sploit was all over in a matter of hours once tinyurl marked the URL used as spam. A few days later? Well, that'd be when El Reg reported on it. :)

"Don't Click" evolved from the French "Truc du Jour" click-jacker that used the same technique the day before: http://dropbox.23x.net/tdj.html

1) for using Twitter

2) for going to random links that get thrown your way (*)

(*) the amount of people that just follow ervey random link they get

sent via email, popups, AIM etc is incredible.... its like goldfish all

desperately lunging after the flakes of fishfood thrown into a tank..

Well, sorry I was not as precise as I should have been.

"Of course, such users have been protected from click-jacking since a couple of days after the original discovery of the exploit."

This sentence referred to the first instances of the clickjacking discussions back in September 2008. http://www.pcworld.idg.com.au/article/260609/adobe_request_hackers_nix_clickjacking_talk

NoScript users were protected by default if they simply checked the "Forbid <IFRAME>" option.

Soon after the clickjacking proofs of concept were published, the NoScript plugin authors incorporated a feature called "ClearClick". This feature works independently of the IFRAME blocking method. http://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/

Mine's the one with the scripting pockets sewn up...

Why, Twits of course!

(AKA: numpties)

I think what you're trying to say is:

"What happens if I push this button?"

"I wouldn't....."

<Bing>

"Oh."

"What happened?"

"A little sign lit up saying: 'Please do not push this button again'.".