14 DAY TRIAL // A mysterious “Don't click” link was being spread by Twitter users, who obviously were curious enough to click on it. The attack proved nothing more than a harmless clickjacking demonstration, but it was nevertheless addressed by the Twitter staff.
At the end of January, a blogger released (translated) proof of a concept code for a clickjacking attack that would allow forcing people to post spam on their own Twitter feeds without their knowledge. A few days ago, someone decided to put it into practice, and launched a harmless, but insightful, campaign that demonstrated how a person could use simple social engineering techniques combined with clickjacking in order to instrument potentially dangerous attacks.
Clickjacking is a complex threat that basically allows an attacker to hijack users' clicks and use them for a variety of purposes without their knowledge. It is a problem that must be addressed at the core level of all major browsers, thus is not simple to repel. In technical slang it is referred to as “user interface redressing,” because it allows attaching malicious actions to an otherwise legit website object. For example, the users might think that they click on a legit button, but this click is hijacked to launch a malicious download.
In the Twitter attack, accessing a “Don't click” link would open an external page with a “Don't click” button. Clicking the button while being authenticated on Twitter would post the “Don't click” link on your own Twitter feed. There was nothing more to it, but it propagated very fast.
Daniel Sandler, a Computer Science phD student at Rice University, explains the technique on his blog. According to Sandler, The “Don't Click” button is actually inactive, however an iframe loading twitter.com is positioned on top of it. The iframe is then rendered invisible by modifying its transparency through CSS. But, just because it is invisible to the user, it doesn't meant that it is not there anymore.
Therefore, “When you click the button, you’re actually clicking on the (now invisible) ‘Update’ button on Twitter’s web interface instead,” Sandler writes. Since Twitter allows preloading the update form with a message directly through the URL, via the ?status=parameter, submitting the form in the rogue iframe will post whatever the attacker preloaded, in this case the “Don't click” message and link.
Even though this attack did not cause any harm, the Twitter staff acknowledged the potential danger and fixed the issue. “Thankfully, the harm was restricted to constant reposting of the link, but we take malicious attacks on Twitter users very seriously, and this morning we submitted an update which blocks this clickjacking technique,” is noted in a post on the official Twitter blog. The update consists of two lines of JavaScript that prevent the load of the Twitter page in an iframe.
This “Twitter-jacking” attack could have been easily adapted by spammers, malware distributors, or phishers to cause serious damage.