Twitter ClickJacking Vulnerability

The New Acunetix V12 Engine


Click-jacking has hit the news a few times recently with most browsers being susceptible to this kind of redirection attack.

This time it’s Twitter that’s being hit, as with anything gaining popularity it’s going to become the focus of more attacks and attempts to compromise its security.

It seems like click-jacking may well be here to stay and it might become a widespread problem, especially for sites with interactive content and especially for those based around ‘voting‘ systems.

Two weeks after the micro-blogging site immunized its users against a fast-moving worm that caused them to unintentionally broadcast messages when they clicked on an innocuous-looking button, hackers have found a new way to exploit the clickjacking vulnerability.

The latest attack comes from UK-based web developer Tom Graham, who discovered that the fix Twitter rolled out wasn’t applied to the mobile phone section of the site. By the time we stumbled on his findings, the exploit no longer worked. But security consultant Rafal Los sent us a minor modification that sufficiently pwned a dummy account we set up for testing purposes.

“The mobile site currently has no javascript on it at all, which is probably for a good reason as most mobile phones don’t support it,” Graham writes. “So it begs the question, how should Twitter prevent this click-jacking exploit?”

This problem was once again quickly fixed, but I’m sure it can be tweaked again to wreak havoc. Plus of course these vulnerabilities are being published in the open and blown up on mass-media sites so they get attention quickly.

I’m sure there’s plenty of people out there who aren’t quite so honourable and are more interested in gaming the system for their own benefit.

It’s an interesting way for spammers to infest Twitter with spam on legitimate accounts, all they have to do is get the user to click a button somewhere on a quiz or game and it’s a done deal.

The proof-of-concept page presents the user with the question “Do you have a tiny face?” along with buttons to answer “yes” or “no.” Choosing the affirmative while logged in to Twitter causes the account to publicly declare: “I have a tiny face, do you?” and then include a link to Graham’s post.

The exploit is the latest reason to believe that clickjacking, on Twitter and elsewhere, is here to stay, at least until HTML specifications are rewritten. No doubt web developers will continue to come up with work-arounds, but hackers can just as quickly find new ways to exploit the vulnerability, it seems.

That’s because clickjacking attacks a fundamental design of HTML itself. It’s pulled off by hiding the target URL within a specially designed iframe that’s concealed by a decoy page that contains submission buttons. Virtually every website and browser is susceptible to the technique.

It’ll be interesting to see how long this cat and mouse chase goes on and if a version of the exploit can be crafted that will still work whatever Twitter does (discounting a major rebuild of their architecture and technology).

I’m sure other sites are vulnerable too, perhaps we’ll see Facebook version soon which will post a Note or a message on your profile crafted by the site serving up the click-jacking exploit.

Source: The Register

Posted in: Exploits/Vulnerabilities, Web Hacking

, , ,


Latest Posts:


Acunetix Vulnerability Scanner For Linux Now Available Acunetix Vulnerability Scanner For Linux Now Available
Acunetix Vulnerability Scanner For Linux is now available, now you get all of the functionality of Acunetix, with all of the dependability of Linux.
Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.


One Response to Twitter ClickJacking Vulnerability

  1. dblackshell March 5, 2009 at 6:51 pm #

    clickjacking & twitter… have tried cooking an attack vector against their clickjacking protection for a couple of hours until finally gave up.

    Even so there is a thing to note. If you load their page as an object (not iframe) their clickjacking protection delays for a second or two… Haven’t managed to find a way that a user would click where I want in that specified time frame, but when I get more time at hands I will try to find a way to accomplish this… hopefully with some results..