Twitter ClickJacking Vulnerability

Use Netsparker


Click-jacking has hit the news a few times recently with most browsers being susceptible to this kind of redirection attack.

This time it’s Twitter that’s being hit, as with anything gaining popularity it’s going to become the focus of more attacks and attempts to compromise its security.

It seems like click-jacking may well be here to stay and it might become a widespread problem, especially for sites with interactive content and especially for those based around ‘voting‘ systems.

Two weeks after the micro-blogging site immunized its users against a fast-moving worm that caused them to unintentionally broadcast messages when they clicked on an innocuous-looking button, hackers have found a new way to exploit the clickjacking vulnerability.

The latest attack comes from UK-based web developer Tom Graham, who discovered that the fix Twitter rolled out wasn’t applied to the mobile phone section of the site. By the time we stumbled on his findings, the exploit no longer worked. But security consultant Rafal Los sent us a minor modification that sufficiently pwned a dummy account we set up for testing purposes.

“The mobile site currently has no javascript on it at all, which is probably for a good reason as most mobile phones don’t support it,” Graham writes. “So it begs the question, how should Twitter prevent this click-jacking exploit?”

This problem was once again quickly fixed, but I’m sure it can be tweaked again to wreak havoc. Plus of course these vulnerabilities are being published in the open and blown up on mass-media sites so they get attention quickly.

I’m sure there’s plenty of people out there who aren’t quite so honourable and are more interested in gaming the system for their own benefit.

It’s an interesting way for spammers to infest Twitter with spam on legitimate accounts, all they have to do is get the user to click a button somewhere on a quiz or game and it’s a done deal.

The proof-of-concept page presents the user with the question “Do you have a tiny face?” along with buttons to answer “yes” or “no.” Choosing the affirmative while logged in to Twitter causes the account to publicly declare: “I have a tiny face, do you?” and then include a link to Graham’s post.

The exploit is the latest reason to believe that clickjacking, on Twitter and elsewhere, is here to stay, at least until HTML specifications are rewritten. No doubt web developers will continue to come up with work-arounds, but hackers can just as quickly find new ways to exploit the vulnerability, it seems.

That’s because clickjacking attacks a fundamental design of HTML itself. It’s pulled off by hiding the target URL within a specially designed iframe that’s concealed by a decoy page that contains submission buttons. Virtually every website and browser is susceptible to the technique.

It’ll be interesting to see how long this cat and mouse chase goes on and if a version of the exploit can be crafted that will still work whatever Twitter does (discounting a major rebuild of their architecture and technology).

I’m sure other sites are vulnerable too, perhaps we’ll see Facebook version soon which will post a Note or a message on your profile crafted by the site serving up the click-jacking exploit.

Source: The Register

Posted in: Exploits/Vulnerabilities, Web Hacking

, , ,


Latest Posts:


BDFProxy - Patch Binaries via MITM - BackdoorFactory + mitmProxy BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy
BDFProxy allows you to patch binaries via MiTM with The Backdoor Factory combined with mitmproxy enabling on the fly patching of binary downloads
Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.
Acunetix Vulnerability Scanner For Linux Now Available Acunetix Vulnerability Scanner For Linux Now Available
Acunetix Vulnerability Scanner For Linux is now available, now you get all of the functionality of Acunetix, with all of the dependability of Linux.
Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.


One Response to Twitter ClickJacking Vulnerability

  1. dblackshell March 5, 2009 at 6:51 pm #

    clickjacking & twitter… have tried cooking an attack vector against their clickjacking protection for a couple of hours until finally gave up.

    Even so there is a thing to note. If you load their page as an object (not iframe) their clickjacking protection delays for a second or two… Haven’t managed to find a way that a user would click where I want in that specified time frame, but when I get more time at hands I will try to find a way to accomplish this… hopefully with some results..