Twitter ClickJacking Vulnerability


Click-jacking has hit the news a few times recently with most browsers being susceptible to this kind of redirection attack.

This time it’s Twitter that’s being hit, as with anything gaining popularity it’s going to become the focus of more attacks and attempts to compromise its security.

It seems like click-jacking may well be here to stay and it might become a widespread problem, especially for sites with interactive content and especially for those based around ‘voting‘ systems.

Two weeks after the micro-blogging site immunized its users against a fast-moving worm that caused them to unintentionally broadcast messages when they clicked on an innocuous-looking button, hackers have found a new way to exploit the clickjacking vulnerability.

The latest attack comes from UK-based web developer Tom Graham, who discovered that the fix Twitter rolled out wasn’t applied to the mobile phone section of the site. By the time we stumbled on his findings, the exploit no longer worked. But security consultant Rafal Los sent us a minor modification that sufficiently pwned a dummy account we set up for testing purposes.

“The mobile site currently has no javascript on it at all, which is probably for a good reason as most mobile phones don’t support it,” Graham writes. “So it begs the question, how should Twitter prevent this click-jacking exploit?”

This problem was once again quickly fixed, but I’m sure it can be tweaked again to wreak havoc. Plus of course these vulnerabilities are being published in the open and blown up on mass-media sites so they get attention quickly.

I’m sure there’s plenty of people out there who aren’t quite so honourable and are more interested in gaming the system for their own benefit.

It’s an interesting way for spammers to infest Twitter with spam on legitimate accounts, all they have to do is get the user to click a button somewhere on a quiz or game and it’s a done deal.

The proof-of-concept page presents the user with the question “Do you have a tiny face?” along with buttons to answer “yes” or “no.” Choosing the affirmative while logged in to Twitter causes the account to publicly declare: “I have a tiny face, do you?” and then include a link to Graham’s post.

The exploit is the latest reason to believe that clickjacking, on Twitter and elsewhere, is here to stay, at least until HTML specifications are rewritten. No doubt web developers will continue to come up with work-arounds, but hackers can just as quickly find new ways to exploit the vulnerability, it seems.

That’s because clickjacking attacks a fundamental design of HTML itself. It’s pulled off by hiding the target URL within a specially designed iframe that’s concealed by a decoy page that contains submission buttons. Virtually every website and browser is susceptible to the technique.

It’ll be interesting to see how long this cat and mouse chase goes on and if a version of the exploit can be crafted that will still work whatever Twitter does (discounting a major rebuild of their architecture and technology).

I’m sure other sites are vulnerable too, perhaps we’ll see Facebook version soon which will post a Note or a message on your profile crafted by the site serving up the click-jacking exploit.

Source: The Register

Posted in: Exploits/Vulnerabilities, Web Hacking

, , ,


Latest Posts:


Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.
UBoat - Proof Of Concept PoC HTTP Botnet Project UBoat – Proof Of Concept PoC HTTP Botnet Project
UBoat is a PoC HTTP Botnet designed to replicate a full weaponised commercial botnet like the famous large scale infectors Festi, Grum, Zeus and SpyEye.
LambdaGuard - AWS Lambda Serverless Security Scanner LambdaGuard – AWS Lambda Serverless Security Scanner
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
exe2powershell - Convert EXE to BAT Files exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.
HiddenWall - Create Hidden Kernel Modules HiddenWall – Create Hidden Kernel Modules
HiddenWall is a Linux kernel module generator used to create hidden kernel modules to protect your server from attackers.
Anteater - CI/CD Security Gate Check Framework Anteater – CI/CD Security Gate Check Framework
Anteater is a CI/CD Security Gate Check Framework to prevent the unwanted merging of filenames, binaries, deprecated functions, staging variables and more.


One Response to Twitter ClickJacking Vulnerability

  1. dblackshell March 5, 2009 at 6:51 pm #

    clickjacking & twitter… have tried cooking an attack vector against their clickjacking protection for a couple of hours until finally gave up.

    Even so there is a thing to note. If you load their page as an object (not iframe) their clickjacking protection delays for a second or two… Haven’t managed to find a way that a user would click where I want in that specified time frame, but when I get more time at hands I will try to find a way to accomplish this… hopefully with some results..