Twitter attack exposes awesome power of clickjacking

Hard to stop, harder to resist


A worm that forced a wave of people to unintentionally broadcast messages on microblogging site Twitter shows the potential of a vulnerability known as clickjacking to dupe large numbers of internet users into installing malware or visiting malicious pages without any clue they're being attacked.

The outbreak was touched off by tweets that led Twitter readers to a button labeled "Don't click." Gullible users (including your reporter) who clicked on the button automatically posted messages that posted yet more tweets advertising the link. The attacks persisted even after Twitter added countermeasures to its site and proclaimed the issued fixed.

The attack exploited a vulnerability at the core of the web that allows webmasters to trick users into clicking on one link even though the underlying HTML code appears to show it leads elsewhere. The so-called clickjacking exploit is pulled off by superimposing an invisible iframe over a button or link. Virtually every website and browser is susceptible to the technique. Technical details are available here.

"Before, it was more theoretical," security researcher Jeremiah Grossman said of clickjacking. "Now, this is evidence that it can be used and it's only a matter of time before it's used maliciously."

Grossman, who is CTO of web-security firm WhiteHat Security, first sounded the clickjacking alarm in September, along with Robert "RSnake" Hansen, CEO of secTheory.com. They say it can be used to trick users into believing a link leads to, say, Google when in fact it leads to a money-transfer page, a banner advertisement that's part of a click-fraud scheme, or any other page an attacker chooses.

Their research has led to security updates in Adobe's Flash software, but clickjacking remains a threat on virtually every platform, browser, and website, they warn. More recently, Microsoft has added anti-clickjacking protections to its Internet Explorer 8 browser, which is currently in beta. While that's a step in the right direction, some critics have contended the protection will be ineffective because it will require millions of websites to update their pages with proprietary code.

The Twitter attack lends some credence to claims that clickjacking will be hard to stop. Twitter developers on Thursday added code to its pages that were designed to neutralize frames placed in Twitter pages by changing the pages' location. "Problem should be gone," Twitter's network operations manager declared shortly afterward. Within hours, the exploit code had been modified to work around the countermeasure.

Twitter has once again managed to block the attack, but we're confident this isn't the last we'll hear of clickjacking on that site - and plenty of others. ®

Broader topics


Other stories you might like

  • Running Windows 10? Microsoft is preparing to fire up the update engines

    Winter Windows Is Coming

    It's coming. Microsoft is preparing to start shoveling the latest version of Windows 10 down the throats of refuseniks still clinging to older incarnations.

    The Windows Update team gave the heads-up through its Twitter orifice last week. Windows 10 2004 was already on its last gasp, have had support terminated in December. 20H2, on the other hand, should be good to go until May this year.

    Continue reading
  • Throw away your Ethernet cables* because MediaTek says Wi-Fi 7 will replace them

    *Don't do this

    MediaTek claims to have given the world's first live demo of Wi-Fi 7, and said that the upcoming wireless technology will be able to challenge wired Ethernet for high-bandwidth applications, once available.

    The fabless Taiwanese chip firm said it is currently showcasing two Wi-Fi 7 demos to key customers and industry collaborators, in order to demonstrate the technology's super-fast speeds and low latency transmission.

    Based on the IEEE 802.11be standard, the draft version of which was published last year, Wi-Fi 7 is expected to provide speeds several times faster than Wi-Fi 6 kit, offering connections of at least 30Gbps and possibly up to 40Gbps.

    Continue reading
  • Windows box won't boot? SystemRescue 9 may help

    An ISO image you can burn or drop onto a USB key

    The latest version of an old friend of the jobbing support bod has delivered a new kernel to help with fixing Microsoft's finest.

    It used to be called the System Rescue CD, but who uses CDs any more? Enter SystemRescue, an ISO image that you can burn, or just drop onto your Ventoy USB key, and which may help you to fix a borked Windows box. Or a borked Linux box, come to that.

    SystemRescue 9 includes Linux kernel 5.15 and a minimal Xfce 4.16 desktop (which isn't loaded by default). There is a modest selection of GUI tools: Firefox, VNC and RDP clients and servers, and various connectivity tools – SSH, FTP, IRC. There's also some security-related stuff such as Yubikey setup, KeePass, token management, and so on. The main course is a bunch of the usual Linux tools for partitioning, formatting, copying, and imaging disks. You can check SMART status, mount LVM volumes, rsync files, and other handy stuff.

    Continue reading

Biting the hand that feeds IT © 1998–2022