Twitter ClickJacking Vulnerability

Keep on Guard!


Click-jacking has hit the news a few times recently with most browsers being susceptible to this kind of redirection attack.

This time it’s Twitter that’s being hit, as with anything gaining popularity it’s going to become the focus of more attacks and attempts to compromise its security.

It seems like click-jacking may well be here to stay and it might become a widespread problem, especially for sites with interactive content and especially for those based around ‘voting‘ systems.

Two weeks after the micro-blogging site immunized its users against a fast-moving worm that caused them to unintentionally broadcast messages when they clicked on an innocuous-looking button, hackers have found a new way to exploit the clickjacking vulnerability.

The latest attack comes from UK-based web developer Tom Graham, who discovered that the fix Twitter rolled out wasn’t applied to the mobile phone section of the site. By the time we stumbled on his findings, the exploit no longer worked. But security consultant Rafal Los sent us a minor modification that sufficiently pwned a dummy account we set up for testing purposes.

“The mobile site currently has no javascript on it at all, which is probably for a good reason as most mobile phones don’t support it,” Graham writes. “So it begs the question, how should Twitter prevent this click-jacking exploit?”

This problem was once again quickly fixed, but I’m sure it can be tweaked again to wreak havoc. Plus of course these vulnerabilities are being published in the open and blown up on mass-media sites so they get attention quickly.

I’m sure there’s plenty of people out there who aren’t quite so honourable and are more interested in gaming the system for their own benefit.

It’s an interesting way for spammers to infest Twitter with spam on legitimate accounts, all they have to do is get the user to click a button somewhere on a quiz or game and it’s a done deal.

The proof-of-concept page presents the user with the question “Do you have a tiny face?” along with buttons to answer “yes” or “no.” Choosing the affirmative while logged in to Twitter causes the account to publicly declare: “I have a tiny face, do you?” and then include a link to Graham’s post.

The exploit is the latest reason to believe that clickjacking, on Twitter and elsewhere, is here to stay, at least until HTML specifications are rewritten. No doubt web developers will continue to come up with work-arounds, but hackers can just as quickly find new ways to exploit the vulnerability, it seems.

That’s because clickjacking attacks a fundamental design of HTML itself. It’s pulled off by hiding the target URL within a specially designed iframe that’s concealed by a decoy page that contains submission buttons. Virtually every website and browser is susceptible to the technique.

It’ll be interesting to see how long this cat and mouse chase goes on and if a version of the exploit can be crafted that will still work whatever Twitter does (discounting a major rebuild of their architecture and technology).

I’m sure other sites are vulnerable too, perhaps we’ll see Facebook version soon which will post a Note or a message on your profile crafted by the site serving up the click-jacking exploit.

Source: The Register

Posted in: Exploits/Vulnerabilities, Web Hacking

, , ,


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.


One Response to Twitter ClickJacking Vulnerability

  1. dblackshell March 5, 2009 at 6:51 pm #

    clickjacking & twitter… have tried cooking an attack vector against their clickjacking protection for a couple of hours until finally gave up.

    Even so there is a thing to note. If you load their page as an object (not iframe) their clickjacking protection delays for a second or two… Haven’t managed to find a way that a user would click where I want in that specified time frame, but when I get more time at hands I will try to find a way to accomplish this… hopefully with some results..