Curiosity killed the twit, Twitter clickjacking

dontclick

Twitter was flooded this morning with users posting “Don’t Click: http://tinyurl.com/amgzs6″. TinyURL has since terminated the URL. The original page doesn’t seem to be live either. It displayed a button that said “Don’t Click”. If the user happened to be logged into Twitter, it would automatically update their status. The instigator partially describes the method on his blog (translated). The page would load the user’s Twitter page in an invisible iframe. The status would be pasted in and the “Don’t Click” button is placed on top of the update button. You can find the code snippets here and the original author credits this post for the inspiration. Twitter has since added a JavaScript fragment to each page to break out of iframes.

if (window.top !== window.self) { window.top.location.href = window.self.location.href; }

Clickjacking webcast tomorrow

[Jeremiah Grossman] and [Eric Lawrence] will be presenting on clickjacking and browser security in an online seminar tomorrow. Clickjacking allows an attacker to transparently place links exactly where a user would be clicking, essentially forcing the user to perform actions without their knowledge. This method of attack has been known for a few years, but researchers have focused their attention on it lately because they feel the threat has been underestimated. Recently, Adobe patched a vulnerability specifically because of this issue. Tune in tomorrow for more info on the attack.