clickjacking

Did you know that clicking on an innocent link on a webpage while logged into Twitter allows a malicious cracker to update your Twitter status without you knowing? This links is usually invisible or placed under a commonly used button.This is known as click jacking.

An example of clickjacking on Twitter was revealed by James Padolsey who also recommended that one install the NoScript firefox addon as a method of protection. See his article to get an example of clickjacking in action.

Using the basic technique of positioning an iframe over a button coupled with Twitter’s ’status’ URL parameter I have created a small demo which shows you just how serious (and annoying) this could be! It will only work if you’re currently logged into Twitter.

Via Dark Reading, which also offers a quote from some researchers:

Robert “RSnake” Hansen, who, along with fellow researcher Jeremiah Grossman, first revealed the dangers of clickjacking, says Twitter isn’t as attractive a clickjacking target as other vectors, however. “I don’t see it as all that interesting as an attack point compared to routers, banks, Webmail, etc.,” says Hansen, founder of SecTheory. “But I can see why there’s a fascination in making people say things they didn’t intend to say.”

Liked this post? Subscribe to my blog feed or follow me on Twitter!

More articles about Twitter:

  1. How to Add a Retweet Button to the Twitter Web Interface
  2. Creating a Twitter Feed for Conferences and Events
  3. Twitter Magnets: Create Poetry and Share it on Twitter!
  4. Combining Twitter With Your House Security System

Filed under: Twitter Security Issues