February 4, 2009

Dangerous Clickjacking Hack for Twitter Revealed

By admin

Did you know that clicking on an innocent link on a webpage while logged into Twitter allows a malicious cracker to update your Twitter status without you knowing? This links is usually invisible or placed under a commonly used button. This is known as click jacking.

clickjacking

An example of clickjacking on Twitter was revealed by James Padolsey who also recommended that one install the NoScript firefox addon as a method of protection.

Using the basic technique of positioning an iframe over a button coupled with Twitter’s ’status’ URL parameter I have created a small demo which shows you just how serious (and annoying) this could be! It will only work if you’re currently logged into Twitter.

Via Dark Reading, which also offers a quote from some researchers:

Robert “RSnake” Hansen, who, along with fellow researcher Jeremiah Grossman, first revealed the dangers of clickjacking, says Twitter isn’t as attractive a clickjacking target as other vectors, however. “I don’t see it as all that interesting as an attack point compared to routers, banks, Webmail, etc.,” says Hansen, founder of SecTheory. “But I can see why there’s a fascination in making people say things they didn’t intend to say”.