Web developer demonstrates new clickjacking attack on Twitter

Feb 27, 2009 11:26 GMT  ·  By

After the Twitter staff had a hard time patching a harmless, but intriguing, clickjacking attack originally launched by a French blogger, a British web developer has come up with a similar new way to mess with the users of the micro-blogging website.

At the end of January, a URL with a message reading "Don't click" next to it, started being propagated by Twitter users. Upon closer inspection, it was revealed that the "worm" was actually an UI redressing attack preying on the curiosity of individuals.

UI (user interface) redressing, more commonly known as clickjacking, is a class of attacks that exploit an architectural flaw of the HTML implementation inside browsers. It allows for loading hidden objects on top of other visible ones and hijacking the mouse clicks of users when they are attempting to access the legit resource.

There are several techniques in order to achieve this behavior, and in particular the "Don't click" menace was loading the Twitter page in a fully transparent iframe, positioned over a "Don't Click" button through CSS. The loaded page was abusing a Twitter feature, which allowed pre-filling the status update form by passing text directly as a URL parameter, and was positioned in such a way so that the hidden form Submit button overlapped the visible "Don't click" one.

The Twitter staff were quick to react and deployed a JavaScript-based fix, which prevented the Twitter page from being loaded in an external frame. Soon after, other web programming enthusiasts found ways to circumvent the fix, and the propagation of the harmless worm continued.

Eventually, the site administration successfully implemented a better fix to the problem, although still based on JavaScript. While investigating possible ways to bypass the new frame busting code, Tom Graham, a web developer living in Leicester, UK, noticed that Twitter's version for hand-held devices, which allowed for much of the same functionality as the normal one, did not contain any JavaScript at all.

Therefore, Tom created a new proof-of-concept attack exploiting the shortfall on the Twitter mobile page. "I unleashed [it] on a few of my followers for a short while before making the iframe visible," he notes. The developer explains that "The mobile site currently has no JavaScript on it at all, which is probably for good reason, as most mobile phones don’t support it."

Tom's attack no longer works either, suggesting that the staff of the micro-blogging platform has found a solution to block it too, but it's unlikely that it will last. Even though these incidents have been harmless, they stand to back up what security researchers have claimed from the start – clickjacking affects all browsers on all platforms and, while temporary workarounds might be found to address a very specific attack, there is yet no fix in sight for the underlying problem.

Meanwhile, Mozilla Firefox users can protect themselves by installing the NoScript extension, which implements clickjacking detection and blocking at the client-side level.