14 DAY TRIAL // A new variant of the "Don't click" clickjacking user-propagated link has been making victims on Twitter. The new attack was launched by someone who found a way around the original fix deployed by the Twitter staff.
A few days ago, users of the popular micro-blogging service Twitter have been the target of an attack employing a technique known as clickjacking. The attack led curious users who clicked on a link that read "Don't click" to further propagate it by unintentionally posting it on their own Twitter feed.
Since it doesn't seem that the person behind it had any malicious intentions, the attacker being harmless, the security experts speculated that it was probably launched to serve as demonstration of the power and risks of clickjacking. Clickjacking, or, in more technical terms, user interface redressing, is a technique that involves overlapping a malicious website object over a legit one and hiding it by setting its transparency to 0 so that only the legit one appears to the user. This allows attackers to effectively hijack a user's click and redirect it to whatever they desire, for example prompting a malware download.
In the case of the Twitter attack, the "Don't click" link took users to a page that displayed a "Don't click" button. However, on top of the "Don't click" button, the Twitter page with a predefined URL that auto-completed the status form was being loaded in an iframe. The frame was completely transparent and positioned in such a way that attempting to click on the "Don't click" button was actually hitting the Submit button for the twitter form pre-filled with the "Don't click" link.
If this action was performed by someone who was authenticated on Twitter, it would cause them to unintentionally post the link on his own Twitter feed. The staff of the micro-blogging service initially addressed this by adding a bit of JavaScript code, which detected when an iframe was trying to load the Twitter page and blocked it by displaying a blank one instead.
However, according to The Register, someone figured out a workaround and launched a new version of the "Don't click" annoyance, forcing Twitter admins to rethink their approach and come up with a new solution to mitigate this attack. But even if they currently succeeded, security experts claim that this is just temporary and that trying to fend off clickjacking is a game of cat and mouse, because the issue is much bigger and lies at the core of the web architecture.
Clickjacking is an issue that affects all websites, all platforms and all browsers. Currently the free NoScript extension for Firefox is capable of successfully protecting users from many clickjacking attacks, but it is by no means a fix for the problem. Internet Explorer 8 will also introduce protection for UI redressing attacks, though experts claim that it's only theoretical, because it is based on the assumption that millions of web developers will add some code suggested by Microsoft to their websites.