Twitter’s Clickjacking fix broken – then quickly fixed again
by Steve Ragan - Feb 13 2009, 19:19What happens when you tell someone not to click a link? They click it of course. This is exactly what happened Thursday on Twitter. An innocent looking re-tweet started to appear, with the warning “Don’t Click” next to it. Naturally, people clicked it, causing the link to re-tweet, or post itself on their profile once clicked. The resulting propagation was harmless, but annoying as ever.
Still, while it was a prank this time around, it could have been something else.
To start, it’s time to dispel some FUD. No, the “Don’t Click” issue on Twitter was not a Worm. No, your account is not at risk if you clicked the link (while you don’t need to change your password if you clicked the link, you should change your password once every three months out of habit).
This was nothing more than a harmless gag, which, in the end, caused only confusion. Many people noticed they had posted a re-tweet of the link, yet they didn’t post it on their own, it was done for them.
“Some folks have noticed links from accounts they follow prefaced by the words, "Don't click" which of course people want to click right away. The links take you to a web site employing technique called Clickjacking. This technique seeks to trick web users and can take action on your behalf while you perform seemingly unrelated tasks,” Twitter posted on Thursday, announcing that it was taking action to stop the Clickjacking and fix the site’s code.
“Thankfully the harm was restricted to constant reposting of the link, but we take malicious attacks on Twitter users very seriously and this morning we submitted an update which blocks this Clickjacking technique.”
However, there was a problem. Twitter’s fix didn’t last for long. Someone with some JavaScript skill removed the protections.
“Thanks to @tbga's JavaScript skills, Twitter's frame-busting is busted on Firefox and IE: http://shiflett.org/twitter.php,” wrote user Shiflett (Chris Shiflett).
The new approach worked for a few hours, until the Twitter team did something to correct it. No one knows for sure what this new fix is, but it halted the demo completely. You can test it yourself here, but the button will be frozen solid.
“...actually it doesn't look like their doing frame-busting anymore, more like wiping the HTML of the page instead,” said Jeremiah Grossman, CTO of WhiteHat Security, in a tweet on the new fix.
Jeremiah explained in an e-mail to The Tech Herald that: “The first fix was a standard piece of JavaScript frame-busting code placed on the Twitter status update page. When the "hackers" page notices the frame-busting code execute in the Twitter frame (ie. change location) the execution is ordered to halt.”
While the whole thing was a joke, as confirmed by the originator of “Don’t Click” on his blog, Clickjacking (Tweet-jacking?) is nothing new. Jeremiah was one of the two researchers who discovered the method and told the world this past summer. So why are we seeing more Clickjacking events now?
“As with many new hacking techniques it takes some time after initial discovery for others researchers to see for themselves what it can do through experimentation. That is the phase Clickjacking is in now. A relatively new attack technique is being tested on high profile target like Twitter to understand its effectiveness,” he explained.
“Similar experimentation could easily be happening on other sites, including social networks, though it would be really hard to detect. That's the power of Clickjacking. It's only a matter of time before truly malicious use of Clickjacking is used on a wide scale.”
This time it was a joke, but fortunately, at least for now, Twitter has blocked the code from running. This should help prevent a next time, when instead of comical pages, we might get something far worse.
Comment on this Story