I noticed that Frederic Lardinois caught wind of the “Don’t Click!” Twitter social virus today over at ReadWriteWeb today. I actually lightly blogged this vulnerability February 4th on my LinkBlog (which if you’re not subscribed to, well, now you know the kind of great stuff you’re missing).
The original story was on DarkReading on February 3rd, entitled: “Twitter Clickjacking Hack Released.” In the piece, Kelly Jackson Higgins not only described the attack type in great detail, but had (for a time) a link to where the hack itself could be downloaded and tested.
Padolsey’s Twitter clickjacking attack (click here to experience it if you’re a Twitter user) basically positions an iFrame over a button that’s linked to Twitter’s “Status” function. While logged in to Twitter, the victim clicks the button on the demo page and, voila, his Twitter status gets changed by the attack to a harmless update the user, himself, had no control over: “Yes, I did click the button!!! (WHAT!!??)”
“This is a pretty harmless example, but I can imagine it being used for more sinister endeavours,” Padolsey blogged. “Clickjacking is a dangerous, malicious technique — take it seriously.”
Essentially it’s just a CSS layer placed over a button, which opens an iFrame and uses your cookie that you have set that leaves you logged into Twitter. It bypasses the API altogether.
There really isn’t any defense around this – except for a problem with the hack that Steven Hodson and I found. If you dig around, you can find the source code for the hack still in Google’s cache, as I did (almost all of the working hacks mentioned in the security articles have been taken offline now).
Steven and I both tried utilizing the cached and live versions of the hack in Google Chrome and Internet Explorer, and both browsers seemed to be patched against the exploit (hence why I only talked about it on the linkblog, instead of a more in-depth article like this). In essence, the hack didn’t work.
So, essentially, it’s not that big of a deal (even though @ev says there’s a fix going out now).