Twitter's tit-for-tat struggle against clickjackers continues. Two weeks after the micro-blogging site immunized its users against a fast-moving worm that caused them to unintentionally broadcast messages when they clicked on an innocuous-looking button, hackers have found a new way to exploit the clickjacking vulnerability. …
Unless Twitter or the poster has closed the bug, its not working when viewed with the Safari 4 beta...
What, is it sung around log fires in Norse verse?
Mines the one with the horns and big hammer.
Robert Simmons, the proof of concept purposely displays the iframe as it is not intended to cause any harm by tricking unsuspecting Twitter users. Is that what you meant by "not working in Safari 4?".
"By the time we stumbled on his findings, the exploit no longer worked." - As far as I can tell the exploit still works. To clarify visiting http://m.twitter.com usually results in the mobile version of Twitter being displayed, however only until a user has selected the "Standard" view using the link at the bottom of each page. The exploit would then no longer work until the users cookies are cleared (as twitter seems to store the standard/mobile preference).
Move along, nothing to see here...
Twits hacking other twits who use twitter.
...seems to stop this as well.
Would this work?
Add some server-side code to the Twitter submission page to check the page referrer, and have a confirmation screen if the referrer isn't twitter.com.
Uh how about twitter stop auto filling the status field when it's passed in a GET request ? That's a good fecking start!