back to article Twitter attack exposes awesome power of clickjacking

A worm that forced a wave of people to unintentionally broadcast messages on microblogging site Twitter shows the potential of a vulnerability known as clickjacking to dupe large numbers of internet users into installing malware or visiting malicious pages without any clue they're being attacked. The outbreak was touched off by …

COMMENTS

This topic is closed for new posts.
Silver badge
Joke

Duping Twats*

Shurely that happened once they signed up for the service?

*The name affectionately given to users of the Twatter online timewasting service.

0
0
Anonymous Coward

CyberSub

"Issue fixed" I think you will find.

"Twitter added countermeasures to its site and proclaimed the issued fixed."

0
0
Coat

Invisible IFrames: From Microsoft

Another great security fiasco: The IFrame.

It's a shame that Microsoft only recently got interested in security.

0
0
Anonymous Coward

welcome to the snake pit

read the analysis, it looks as though turning off javascript will sort it out?

0
0
Dead Vulture

Umm, NoScript?

Not even a passing mention of NoScript?

Not even a sarcastic aside intended to preempt smug comments like this from Firefox users with the (apparently not ubiquitous enough) plugin?

Of course, such users have been protected from click-jacking since a couple of days after the original discovery of the exploit.

C'mon, El Reg, our snark-o-meters are in need of more of a workout!

0
0
Anonymous Coward

@ Jodo Kast

"It's a shame that Microsoft only recently got interested in security."

0_o They did? Why wasn't anyone told?

0
0
Joke

LOL

The web is such a joke. Its like a networked MS application that everyone has to play with. Oh hang on, with IE used by most, I guess it really is :-)

Only solution.

A complete new system, built with security in mind. How about we call it 'Scissors.'

[Snip]

0
0
Dead Vulture

Enough with the FUD

"The attack exploited a vulnerability at the core of the web that allows webmasters to trick users into clicking on one link even though the underlying HTML code appears to show it leads elsewhere...Virtually every website and browser is susceptible to the technique."

Seems more like a problem with rendering, and that I would have no problems with this on, say, Lynx. Hardly a vuln at the core of the web. Also it's pretty hard to attack a webpage that doesn't allow user-submitted HTML content, which must be a large portion of webpages?

0
0
Gates Horns

IFrames? Microsoft? WTF??

"Another great security fiasco: The IFrame."

Microsoft? No, I read on their website somewhere that was an Apple contrivance, like everything else beginning with an "I"

"It's a shame that Microsoft only recently got interested in security."

Surely, "Microsoft" and "security" used in the same sentence is an oxymoron.

0
0
Heart

@Mark Zip

"Of course, such users have been protected from click-jacking since a couple of days after the original discovery of the exploit."

The sploit was all over in a matter of hours once tinyurl marked the URL used as spam. A few days later? Well, that'd be when El Reg reported on it. :)

"Don't Click" evolved from the French "Truc du Jour" click-jacker that used the same technique the day before: http://dropbox.23x.net/tdj.html

0
0

"Virtually every web site and browser"?

Not if it doesn't do iframes or javascript, and does show the underlying link before you click.

0
0
Flame

serves you right

1) for using Twitter

2) for going to random links that get thrown your way (*)

(*) the amount of people that just follow ervey random link they get

sent via email, popups, AIM etc is incredible.... its like goldfish all

desperately lunging after the flakes of fishfood thrown into a tank..

0
0
Coat

@Jared Earle

Well, sorry I was not as precise as I should have been.

"Of course, such users have been protected from click-jacking since a couple of days after the original discovery of the exploit."

This sentence referred to the first instances of the clickjacking discussions back in September 2008. http://www.pcworld.idg.com.au/article/260609/adobe_request_hackers_nix_clickjacking_talk

NoScript users were protected by default if they simply checked the "Forbid <IFRAME>" option.

Soon after the clickjacking proofs of concept were published, the NoScript plugin authors incorporated a feature called "ClearClick". This feature works independently of the IFRAME blocking method. http://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/

Mine's the one with the scripting pockets sewn up...

0
0
Tom
Silver badge

Only solution.

A complete new system, built with security in mind. How about we call it 'Scissors.'

But we can't run with that.

0
0

@Danny Thompson

iframes were a Microsoft bodge.

http://en.wikipedia.org/wiki/Iframe

"First introduced by Microsoft Internet Explorer in 1997 and long only available in that browser, iframes eventually became supported by all major brands."

Not sure if you were being ironic - but thought I set things straight.

0
0
Thumb Up

Collective noun for Twitter users?

Why, Twits of course!

(AKA: numpties)

0
0
Bronze badge

I must be missing something

Whenever I see a link, I hover over it and look at the URI at the bottom of the browser. Does an iFrame somehow spoof that as well, or are people simply stupid.

Yes, I realise this is not an XOR question.

0
0

Yet another....

....proof that something which says "Do not push the big red button" will result in people doing exactly that. So when the "Your computer is infected....download the xyz antispyware now!" fails, they just put a button that says "Don't click this" or something similar, and thousands of normally sensible people will abandon their common sense and click it!!

Mind you, I'd probably have clicked it too, if I'd ever been on Twitter.

0
0
Anonymous Coward

Deity of choice here

Were you all abused as children by twitter or something? Terrified of birds perhaps? Do we really need to have the "Hurr durr twitter is for retards" discussion every time it's mentioned in an article? It's getting as tired as the Vista bashing that follows every artical even tangentially related to Microsoft.

0
0

RE: I must be missing something

I think I'm missing something too.

Most of these "clickjacking" type "exploits" just sound like social engineering to me rather than anything technical that needs fixing.

I'm willing to be proved wrong though -- if someone comes up with a way of making a link on <insert random social networking site> that logs me in to an online store and sends things to someone else's address with my money, or siphons my bank account by logging me into online banking.

0
0
Gold badge
Happy

@Andy Worth

I think what you're trying to say is:

"What happens if I push this button?"

"I wouldn't....."

<Bing>

"Oh."

"What happened?"

"A little sign lit up saying: 'Please do not push this button again'.".

0
0
This topic is closed for new posts.

Forums