quote:Twitter attack exposes awesome power of clickjacking
Hard to stop, harder to resist
A worm that forced a wave of people to unintentionally broadcast messages on microblogging site Twitter shows the potential of a vulnerability known as clickjacking to dupe large numbers of internet users into installing malware or visiting malicious pages without any clue they're being attacked.
The outbreak was touched off by tweets that led Twitter readers to a button labeled "Don't click." Gullible users (including your reporter) who clicked on the button automatically posted messages that posted yet more tweets advertising the link. The attacks persisted even after Twitter added countermeasures to its site and proclaimed the issued fixed.
The attack exploited a vulnerability at the core of the web that allows webmasters to trick users into clicking on one link even though the underlying HTML code appears to show it leads elsewhere. The so-called clickjacking exploit is pulled off by superimposing an invisible iframe over a button or link. Virtually every website and browser is susceptible to the technique. Technical details are available here.
Microsoft has added anti-clickjacking protections to its Internet Explorer 8 browser, which is currently in beta. While that's a step in the right direction, some critics have contended the protection will be ineffective because it will require millions of websites to update their pages with proprietary code.
The Twitter attack lends some credence to claims that clickjacking will be hard to stop. Twitter developers on Thursday added code to its pages that were designed to neutralize frames placed in Twitter pages by changing the pages' location. "Problem should be gone," Twitter's network operations manager declared shortly afterward. Within hours, the exploit code had been modified to work around the countermeasure.
Twitter has once again managed to block the attack, but we're confident this isn't the last we'll hear of clickjacking on that site - and plenty of others.
NoScript for Firefox effectively prevents this exploit.
It makes you wonder... if we ran out and put a sticker on all electrical outlets that read, "Don't put a screwdriver in here," how many people would be sporting a freaky new hair-do?
·
·